Text 15, 1223 rader
Skriven 2004-12-12 18:29:00 av KURT WISMER (1:123/140)
Ärende: News, Dec. 12 2004
==========================
[cut-n-paste from sophos.com]
Name W32/Atak-F
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Forges the sender's email address
* Uses its own emailing engine
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Atak-F is a Windows worm that spreads via email. W32/Atak-F copies
itself to a file with a random name in the Windows system folder and
changes the win.ini file or creates a new registry entry to run
automatically when Windows starts up.
W32/Atak-F sends itself to email addresses found on the system. The worm
arrives as a ZIP attachment in an email. The subject line, message text
and attachment filenames are randomly constructed.
Advanced
W32/Atak-F is a Windows worm that spreads via email. W32/Atak-F copies
itself to a file with a random name in the Windows system folder. In
order to run automatically when Windows starts up, on W9x systems
W32/Atak-F inserts a 'load=' entry under the [windows] section of the
win.ini file while on NT, W2k and XP systems the worm sets the following
registry entry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
load=
W32/Atak-F sends itself to email addresses found on the system. The worm
harvests addresses from files with various extensions such as HTM, EML,
ASP and DBX.
The worm arrives as a ZIP attachment in an email. The subject line,
message text and attachment filenames are randomly constructed from the
following building blocks.
The attachment filename is one of
separate_file.zip
textfile.zip
print.zip
note.zip
white_paper.zip
part001.zip.
The Subject line has the format
' Password: 2aff (temporary password)
Please check our website to learn about our features
http://www.microsoft.com .
Your account information has been saved. Please check when needed.
Your sincerely,
microsoft.com Team
Name Troj/Brabot-A
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Steals information
* Reduces system security
* Installs itself in the Registry
* Leaves non-infected files on computer
Aliases
* Backdoor.Win32.Brabot.a
* W32/Generic.worm!p2p
Prevelance (1-5) 2
Description
Troj/Brabot-A is a backdoor Trojan that accepts commands via IRC.
Advanced
Troj/Brabot-A creates the following registry entry so as to start
automatically when a user logs on:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
lmloader
Troj/Brabot-A also creates two helper components lEXPLORE.exe and
pws.exe in the Windows folder.
Pws.exe is a legitimatepassword recovery tool and may be safely deleted.
IEXPLORE.exe is a commandline driven vulnerability scanner and may also
be safely deleted.
Name W32/Agobot-NX
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Modifies data on the computer
* Deletes files off the computer
* Steals information
Prevalence (1-5) 2
Description
W32/Agobot-NX is an IRC backdoor Trojan and network worm.
W32/Agobot-NX is capable of spreading to computers on the local network
protected by weak passwords.
When first run, W32/Agobot-NX copies itself to the Windows system folder
as bmsvc32.exe.
W32/Agobot-NX runs continuously in the background providing backdoor
access to the computer through IRC channels.
W32/Agobot-NX attempts to terminate and disable various anti-virus and
security related programs and modifies the HOSTS file located at
%WINDOWS%\System32\Drivers\etc\HOSTS, mapping selected anti-virus
websites to the loopback address 127.0.0.1 in an attempt to prevent
access to these sites.
Advanced
W32/Agobot-NX is an IRC backdoor Trojan and network worm.
W32/Agobot-NX is capable of spreading to computers on the local network
protected by weak passwords.
When first run, W32/Agobot-NX copies itself to the Windows system folder
as bmsvc32.exe and creates the following registry entries to run itself
on startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Bmsvc32 = "bmsvc32.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Bmsvc32 = "bmsvc32.exe"
The worm also sets or modifies the following registry entry:
HKCR\.key\
@="regfile"
W32/Agobot-NX runs continuously in the background providing backdoor
access to the computer through IRC channels.
W32/Agobot-NX attempts to terminate and disable various anti-virus and
security related programs and modifies the HOSTS file located at
%WINDOWS%\System32\Drivers\etc\HOSTS, mapping selected anti-virus
websites to the loopback address 127.0.0.1 in an attempt to prevent
access to these sites. Typically the following mappings will be appended
to the HOSTS file:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
Name W32/Bagle-AA
Type
* Worm
Aliases
* Win32/Bagle.AB
* WORM_BAGLE.Z
* I-Worm.Bagle.z
Prevalence (1-5) 4
Description
W32/Bagle-AA is an email aware worm, and a member of the W32/Bagle
family of worms.
When first run W32/Bagle-AA will display a fake error message containing
the text "Can't find a viewer associated with the file".
W32/Bagle-AA copies itself to the Windows system folder with the
filename drvddll.exe and then runs the worm from that location.
The email sent by the worm may use one of the following subject lines:
Re: Msg reply
Re: Hello
Re: Yahoo!
Re: Thank you!
Re: Thanks :)
RE: Text message
Re: Document
Incoming message
Re: Incoming Message
RE: Incoming Msg
RE: Message Notify
Notification
Changes..
New changes
Hidden message
Fax Message Received
Protected message
RE: Protected message
Forum notify
Site changes
Re: Hi
Encrypted document
The attachment sent by the worm may carry an EXE, SCR, COM, ZIP, VBS,
HTA or CPL extension.
The following registry entry is created so that the worm is run when a
user logs on to Windows:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
drvddll.exe = drvddll.exe
W32/Bagle-AA scans all fixed drives recursively for WAB, TXT, MSG, HTM,
SHTM, STM, XML, DBX, MBX, MDX, EML, NCH, MMF, ODS, CFG, ASP, PHP, PL,
WSH, ADB, TBB, SHT, XLS, OFT, UIN, CGI, MHT, DHTM and JSP files,
extracts email addresses from them and uses those addresses for the mass
mailing component of the worm.
The worm will create copies of itself with the following filenames in
folders that contain the string "shar" in their name:
Microsoft Office 2003 Crack, Working!.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Microsoft Office XP working Crack, Keygen.exe
Porno, sex, oral, anal cool, awesome!!.exe
Porno Screensaver.scr
Serials.txt.exe
KAV 5.0
Kaspersky Antivirus 5.0
Porno pics arhive, xxx.exe
Windows Sourcecode update.doc.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe
W32/Bagle-AA attempts to terminate any of the following processes:
OUTPOST.EXE
NMAIN.EXE
NORTON_INTERNET_SECU_3.0_407.EXE
NPF40_TW_98_NT_ME_2K.EXE
NPFMESSENGER.EXE
NPROTECT.EXE
NSCHED32.EXE
NTVDM.EXE
NVARCH16.EXE
KERIO-WRP-421-EN-WIN.EXE
KILLPROCESSSETUP161.EXE
LDPRO.EXE
LOCALNET.EXE
LOCKDOWN.EXE
LOCKDOWN2000.EXE
LSETUP.EXE
CLEANPC.EXE
AVprotect9x.exe
CMGRDIAN.EXE
CMON016.EXE
CPF9X206.EXE
CPFNT206.EXE
CV.EXE
CWNB181.EXE
CWNTDWMO.EXE
ICSSUPPNT.EXE
DEFWATCH.EXE
DEPUTY.EXE
DPF.EXE
DPFSETUP.EXE
DRWATSON.EXE
ENT.EXE
ESCANH95.EXE
AVXQUAR.EXE
ESCANHNT.EXE
ESCANV95.EXE
AVPUPD.EXE
EXANTIVIRUS-CNET.EXE
FAST.EXE
FIREWALL.EXE
FLOWPROTECTOR.EXE
FP-WIN_TRIAL.EXE
FRW.EXE
FSAV.EXE
AUTODOWN.EXE
FSAV530STBYB.EXE
FSAV530WTBYB.EXE
FSAV95.EXE
GBMENU.EXE
GBPOLL.EXE
GUARD.EXE
GUARDDOG.EXE
HACKTRACERSETUP.EXE
HTLOG.EXE
HWPE.EXE
IAMAPP.EXE
IAMAPP.EXE
IAMSERV.EXE
ICLOAD95.EXE
ICLOADNT.EXE
ICMON.EXE
ICSUPP95.EXE
ICSUPPNT.EXE
IFW2000.EXE
IPARMOR.EXE
IRIS.EXE
JAMMER.EXE
ATUPDATER.EXE
AUPDATE.EXE
KAVLITE40ENG.EXE
KAVPERS40ENG.EXE
KERIO-PF-213-EN-WIN.EXE
KERIO-WRL-421-EN-WIN.EXE
BORG2.EXE
BS120.EXE
CDP.EXE
CFGWIZ.EXE
CFIADMIN.EXE
CFIAUDIT.EXE
AUTOUPDATE.EXE
CFINET.EXE
NAVAPW32.EXE
NAVDX.EXE
NAVSTUB.EXE
NAVW32.EXE
NC2000.EXE
NCINST4.EXE
AUTOTRACE.EXE
NDD32.EXE
NEOMONITOR.EXE
NETARMOR.EXE
NETINFO.EXE
NETMON.EXE
NETSCANPRO.EXE
NETSPYHUNTER-1.2.EXE
NETSTAT.EXE
NISSERV.EXE
NISUM.EXE
CFIAUDIT.EXE
LUCOMSERVER.EXE
AGENTSVR.EXE
ANTI-TROJAN.EXE
ANTI-TROJAN.EXE
ANTIVIRUS.EXE
ANTS.EXE
APIMONITOR.EXE
APLICA32.EXE
APVXDWIN.EXE
ATCON.EXE
ATGUARD.EXE
ATRO55EN.EXE
ATWATCH.EXE
AVCONSOL.EXE
AVGSERV9.EXE
AVSYNMGR.EXE
BD_PROFESSIONAL.EXE
BIDEF.EXE
BIDSERVER.EXE
BIPCP.EXE
BIPCPEVALSETUP.EXE
BISP.EXE
BLACKD.EXE
BLACKICE.EXE
BOOTWARN.EXE
NWINST4.EXE
NWTOOL16.EXE
OSTRONET.EXE
OUTPOSTINSTALL.EXE
OUTPOSTPROINSTALL.EXE
PADMIN.EXE
PANIXK.EXE
PAVPROXY.EXE
DRWEBUPW.EXE
PCC2002S902.EXE
PCC2K_76_1436.EXE
PCCIOMON.EXE
PCDSETUP.EXE
PCFWALLICON.EXE
PCFWALLICON.EXE
PCIP10117_0.EXE
PDSETUP.EXE
PERISCOPE.EXE
PERSFW.EXE
PF2.EXE
AVLTMAIN.EXE
PFWADMIN.EXE
PINGSCAN.EXE
PLATIN.EXE
POPROXY.EXE
POPSCAN.EXE
PORTDETECTIVE.EXE
PPINUPDT.EXE
drvsys.exe
PPTBC.EXE
PPVSTOP.EXE
PROCEXPLORERV1.0.EXE
PROPORT.EXE
PROTECTX.EXE
PSPF.EXE
WGFE95.EXE
WHOSWATCHINGME.EXE
AVWUPD32.EXE
NUPGRADE.EXE
WHOSWATCHINGME.EXE
WINRECON.EXE
WNT.EXE
WRADMIN.EXE
WRCTRL.EXE
WSBGATE.EXE
WYVERNWORKSFIREWALL.EXE
XPF202EN.EXE
ZAPRO.EXE
ZAPSETUP3001.EXE
ZATUTOR.EXE
CFINET32.EXE
CLEAN.EXE
CLEANER.EXE
CLEANER3.EXE
CLEANPC.EXE
CMGRDIAN.EXE
CMON016.EXE
CPD.EXE
CFGWIZ.EXE
CFIADMIN.EXE
PURGE.EXE
PVIEW95.EXE
QCONSOLE.EXE
QSERVER.EXE
RAV8WIN32ENG.EXE
REGEDT32.EXE
REGEDIT.EXE
UPDATE.EXE
RESCUE.EXE
RESCUE32.EXE
RRGUARD.EXE
RSHELL.EXE
RTVSCN95.EXE
RULAUNCH.EXE
SAFEWEB.EXE
SBSERV.EXE
SD.EXE
SETUP_FLOWPROTECTOR_US.EXE
SETUPVAMEEVAL.EXE
SFC.EXE
SGSSFW32.EXE
SH.EXE
SHELLSPYINSTALL.EXE
SHN.EXE
SMC.EXE
SOFI.EXE
SPF.EXE
SPHINX.EXE
SPYXX.EXE
SS3EDIT.EXE
ST2.EXE
SUPFTRL.EXE
LUALL.EXE
SUPPORTER5.EXE
SYMPROXYSVC.EXE
SYSEDIT.EXE
TASKMON.EXE
TAUMON.EXE
TAUSCAN.EXE
TC.EXE
TCA.EXE
TCM.EXE
TDS2-98.EXE
TDS2-NT.EXE
TDS-3.EXE
TFAK5.EXE
TGBOB.EXE
TITANIN.EXE
TITANINXP.EXE
TRACERT.EXE
TRJSCAN.EXE
TRJSETUP.EXE
TROJANTRAP3.EXE
UNDOBOOT.EXE
VBCMSERV.EXE
VBCONS.EXE
VBUST.EXE
VBWIN9X.EXE
VBWINNTW.EXE
VCSETUP.EXE
VFSETUP.EXE
VIRUSMDPERSONALFIREWALL.EXE
VNLAN300.EXE
VNPC3000.EXE
VPC42.EXE
VPFW30S.EXE
VPTRAY.EXE
VSCENU6.02D30.EXE
VSECOMR.EXE
VSHWIN32.EXE
VSISETUP.EXE
VSMAIN.EXE
VSMON.EXE
VSSTAT.EXE
VSWIN9XE.EXE
VSWINNTSE.EXE
VSWINPERSE.EXE
W32DSM89.EXE
W9X.EXE
WATCHDOG.EXE
WEBSCANX.EXE
CFIAUDIT.EXE
CFINET.EXE
ICSUPP95.EXE
MCUPDATE.EXE
CFINET32.EXE
CLEAN.EXE
CLEANER.EXE
LUINIT.EXE
MCAGENT.EXE
MCUPDATE.EXE
MFW2EN.EXE
MFWENG3.02D30.EXE
MGUI.EXE
MINILOG.EXE
MOOLIVE.EXE
MRFLUX.EXE
MSCONFIG.EXE
MSINFO32.EXE
MSSMMC32.EXE
MU0311AD.EXE
NAV80TRY.EXE
ZAUINST.EXE
ZONALM2601.EXE
ZONEALARM.EXE
Name W32/Bagle-Zip
Type
* Worm
Aliases
* Win32/Bagle.gen.zip
Prevalence (1-5) 4
Description
Sophos Anti-Virus detects as W32/Bagle-Zip the password-protected
archive files created by W32/Bagle-F, W32/Bagle-G, W32/Bagle-H,
W32/Bagle-I, W32/Bagle-J, W32/Bagle-K (ZIP archives), W32/Bagle-N,
W32/Bagle-O (ZIP and RAR archives), W32/Bagle-W, W32/Bagle-AA ,
W32/Bagle-AF and W32/Bagle-AG.
Name W32/Setclo-A
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
Aliases
* W32/Setclo.worm
* Win32/VB.IL
* Worm.Automat.AHO
Prevalence (1-5) 2
Description
W32/Setclo-A is a network worm for the Windows platform.
W32/Setclo-A will spread by attempting to copy itself to drives on the
local computer and to open network shares. The worm will copy itself
with a filename of SETUP.EXE.
Advanced
W32/Setclo-A is a network worm for the Windows platform.
W32/Setclo-A will spread by attempting to copy itself to drives on the
local computer and to open network shares. The worm will copy itself
with a filename of SETUP.EXE.
In order to run automatically each time the network share or local drive
is opened, W32/Setclo-A will create a file named AUTORUN.INF in the root
folder of the drive or share. The file will have the following contents:
[autorun]
open=setup.exe
This AUTORUN.INF file can be safely deleted.
In order to run automatically each time a user logs on, W32/Setclo-A
will set the following registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
svchost
<path to worm>
Name W32/Anig-C
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Records keystrokes
* Installs itself in the Registry
Aliases
* W32.HLLW.Anig
* W32/Anig.worm.gen
Prevalence (1-5) 3
Description
W32/Anig-C is a worm that can spread by copying itself over network
shares.
W32/Anig-C can also be used to steal passwords.
W32/Anig-C attempts to spread by copying itself to the share ADMIN$ on
remote computers.
W32/Anig-C may drop a DLL file with keylogging functionality called
GinaDLL.DLL and open port 5190 in order to receive remote commands.
Advanced
W32/Anig-C is a worm that can spread by copying itself over network
shares.
W32/Anig-C can also be used to steal passwords.
W32/Anig-C copies itself to <Windows>\System32 using its original
filename and creates the following registry entry in order to run on
system restart:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Osa32
W32/Anig-C attempts to spread by copying itself to the share ADMIN$ on
remote computers.
W32/Anig-C may drop a DLL file with keylogging functionality called
GinaDLL.DLL and open port 5190 in order to receive remote commands.
On NT based versions of Windows, W32/Anig-C registers itself as a
service called <filename> with the display name Distributed File
Controller. The new service has a Startup type of automatic so that the
service is started automatically each time a new Windows session is
started. New registry entries are created beneath the following registry
entry:
HKLM\System\CurrentControlSet\Services\dfcsvc
W32/Anig-C may also create the following registry entry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
GinaDll
ntgina.dll
Name W32/Rbot-RJ
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Reduces system security
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Rbot-RJ is a worm which attempts to spread to remote network shares.
The worm also contains backdoor Trojan functionality, allowing
unauthorised remote access to the infected computer via IRC channels.
W32/Rbot-RJ may prevent access to some anti-virus websites and may
terminate some anti-virus and security software.
Advanced
W32/Rbot-RJ is a worm which attempts to spread to remote network shares.
The worm also contains backdoor Trojan functionality, allowing
unauthorised remote access to the infected computer via IRC channels
while running in the background as a service process.
W32/Rbot-RJ may spread to network shares with weak passwords and via
network security exploits.
W32/Rbot-RJ worm copies itself to the Windows system folder as a random
four letter name with an EXE extension. The worm then sets the following
registry entries to ensure it is run on startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Daemons Updates Services
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Daemons Updates Services
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Daemons Updates Services
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices\
Daemons Updates Services
Each entry is set to the generated random name.
W32/Rbot-RJ may set the following registry entries, again often
resetting them at regular intervals:
HKLM\SOFTWARE\Microsoft\Ole\
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
restrictanonymous
1
W32/Rbot-RJ may periodically set all the above values to these new
values.
W32/Rbot-RJ may also attempt to terminate certain processes relating to
anti-virus, security and system programs, such as:
SWEEP95.EXE
BLACKICE.EXE
DRWATSON.EXE
REGEDIT.EXE
SCAN95.EXE
F-PROT95.EXE
AVP.EXE
W32/Rbot-RJ may also update the file
<system>\drivers\etc\host
appending entries such as
127.0.0.1 www.sophos.com
in order to prevent the machine contacting various anti-virus websites,
including:
www.sophos.com
www.symantec.com
www.mcafee.com
www.kaspersky.com
www.avp.com
Name W32/Maslan-C
Type
* Worm
How it spreads
* Email attachments
* Network shares
Affected operating systems
* Windows
Side effects
* Sends itself to email addresses found on the infected computer
* Drops more malware
* Uses its own emailing engine
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Net-Worm.Win32.Maslan.b
Prevalence (1-5) 2
Description
W32/Maslan-C is a worm which spreads by emailing itself to addresses
found on the infected computer.
The worm also spreads to network shares with weak passwords and to
computers vulnerable to the LSASS exploit (MS04-011) and RPC-DCOM
exploit (MS03-039).
W32/Maslan-C copies existing executable files on the computer to a new
location called "___b" and places copies of the worm where the original
files used to be.
Advanced
W32/Maslan-C is a worm which spreads by emailing itself to addresses
found on the infected computer.
The worm also spreads to network shares with weak passwords and to
computers vulnerable to the LSASS exploit (MS04-011) and RPC-DCOM
exploit (MS03-039).
W32/Maslan-C copies itself to the Windows system folder and creates a
number of other files on the computer which make up the components of
the worm. W32/Maslan-C also installs the W32/Sdbot-RW worm onto the
computer.
W32/Maslan-C creates the following registry entry to run itself
automatically on log-on:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Windows DHCP
C:\WINDOWS\System32\___r.exe
W32/Maslan-C copies existing executable files on the computer to a new
location called "___b" and places copies of the worm where the original
files used to be.
W32/Maslan-C sends emails with the following characteristics:
Subject Line:
123
File attachment:
Playgirls2.exe
Message Body:
Hello <random name>,
--Best regards,
<random sender name>
On the first of the month W32/Maslan-C attacks the following websites:
kavkazcenter.com
kavkazcenter.net
kavkazcenter.info
kavkaz.uk.com
kavkaz.org.uk
kavkaz.tv
chechenpress.com
chechenpress.info
Name Troj/Banker-BG
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Steals credit card details
* Steals information
* Records keystrokes
* Installs itself in the Registry
Aliases
* PWS-Bancban.gen.b
* TrojanSpy.Win32.Banbra.q
Prevalence (1-5) 2
Description
Troj/Banker-BG is a password stealing Trojan aimed at customers of
Brazilian banks.
Troj/Banker-BG will monitor a user's internet access. When certain
internet banking sites are visited, the Trojan will display a fake login
screen in order to trick the user into inputting their details.
Troj/Banker-BG will then send the stolen details to a Brazilian email
address.
Advanced
Troj/Banker-BG is a password stealing Trojan aimed at customers of
Brazilian banks.
Troj/Banker-BG will monitor a user's internet access. When certain
internet banking sites are visited, the Trojan will display a fake login
screen in order to trick the user into inputting their details.
Troj/Banker-BG will then send the stolen details to a Brazilian email
address.
In order to run automatically each time a user logs in, Troj/Banker-BG
will set the following registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
<Trojan filename without extension>
<path to Trojan>
Name W32/Rbot-RF
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Reduces system security
* Records keystrokes
* Installs itself in the Registry
Aliases
* Backdoor.Win32.Rbot.gen
* W32/Sdbot.worm.gen.j
* WORM_SPYBOT.HF
Prevalence (1-5) 2
Description
W32/Rbot-RF is a network worm and IRC backdoor Trojan for the Windows
platform.
W32/Rbot-RF spreads using a variety of techniques including exploiting
weak passwords on computers and SQL servers, exploiting operating system
vulnerabilities (including DCOM-RPC, LSASS, WebDAV and UPNP) and using
backdoors opened by other worms or Trojans.
W32/Rbot-RF can be controlled by a remote attacker over IRC channels.
The backdoor component of W32/Rbot-RF can be instructed by a remote user
to perform the following functions:
start an FTP server
start a Proxy server
start a web server
take part in distributed denial of service (DDoS) attacks
log keypresses
capture screen/webcam images
packet sniffing
port scanning
download/execute arbitrary files
start a remote shell (RLOGIN)
Advanced
W32/Rbot-RF is a network worm and IRC backdoor Trojan for the Windows
platform.
W32/Rbot-RF spreads using a variety of techniques including exploiting
weak passwords on computers and SQL servers, exploiting operating system
vulnerabilities (including DCOM-RPC, LSASS, WebDAV and UPNP) and using
backdoors opened by other worms or Trojans.
W32/Rbot-RF can be controlled by a remote attacker over IRC channels.
The backdoor component of W32/Rbot-RF can be instructed by a remote user
to perform the following functions:
start an FTP server
start a Proxy server
start a web server
take part in distributed denial of service (DDoS) attacks
log keypresses
capture screen/webcam images
packet sniffing
port scanning
download/execute arbitrary files
start a remote shell (RLOGIN)
The worm copies itself to a file named WindowsSP.exe in the Windows
system folder and creates the following registry entries:
HKCU\Software\Microsoft\OLE
Microsoft Service Pack
"WindowsSP.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Service Pack
"WindowsSP.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft Service Pack
"WindowsSP.exe"
Patches for the operating system vulnerabilities exploited by
W32/Rbot-RF can be obtained from Microsoft at:
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
http://www.microsoft.com/technet/security/bulletin/ms03-039.mspx
http://www.microsoft.com/technet/security/bulletin/ms03-007.mspx
http://www.microsoft.com/technet/security/bulletin/ms01-059.mspx
Name Troj/Agent-BF
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Trojan-Downloader.Win32.Agent.ea
Prevalence (1-5) 2
Description
Troj/Agent-BF is a downloading Trojan for the Windows platform that
attempts to download and run a program from a remote location.
Troj/Agent-BF attempts to download and execute a file named
_tmpbf07a.exe from a predefined remote location.
Advanced
Troj/Agent-BF copies itself to the Windows system with a random filename
and in order to be able to run automatically when a user logs on starts
up sets the following registry entry with the path to the copy:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Troj/Agent-BF also sets following registry entries :
HKLM\Software\Microsoft\Windows\CurrentVersion\
ShellRegId
<random name>
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
<random name>
<random name>.exe
Name W32/Rbot-RE
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Reduces system security
* Modifies passwords
Aliases
* Win32.Rbot.gen
Prevalence (1-5) 2
Description
W32/Rbot-RE is an IRC backdoor Trojan and network worm.
W32/Rbot-RE may spread to remote network shares protected by weak
passwords and computers vulnerable to common exploits. The worm also
opens up a backdoor, allowing unauthorised remote access to infected
computers via the IRC network.
W32/Rbot-RE can receive commands from a remote intruder to delete
network shares, log keypresses, participate in DDoS attacks, scan other
computers for vulnerabilities, steal passwords, steal registration keys
for computer games, create administrator accounts, terminate firewall
and anti-virus processes and capture video from webcameras attached to
the computer.
Advanced
W32/Rbot-RE is an IRC backdoor Trojan and network worm.
W32/Rbot-RE may spread to remote network shares protected by weak
passwords and computers vulnerable to common exploits. The worm also
opens up a backdoor, allowing unauthorised remote access to infected
computers via the IRC network, while running in the background as a
service process.
W32/Rbot-RE can receive commands from a remote intruder to delete
network shares, log keypresses, participate in DDoS attacks, scan other
computers for vulnerabilities, steal passwords, steal registration keys
for computer games, create administrator accounts, terminate firewall
and anti-virus processes and capture video from webcameras attached to
the computer.
W32/Rbot-RE copies itself to the Windows system folder and creates the
following registry entries to run automatically on log-on:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Secure Messaging System
msnmsgrsrvc.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Windows Secure Messaging System
msnmsgrsrvc.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Secure Messaging System
msnmsgrsrvc.exe
In addition, W32/Rbot-RE also attempts to alter the following registry
entries, if they are not already set:
HKLM\SOFTWARE\Microsoft\Ole\
EnableDCOM
"N"
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
restrictanonymous
1
--- MultiMail/Win32 v0.43
* Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)
|