Tillbaka till svenska Fidonet
English   Information   Debug  
COMICS   0/15
CONSPRCY   0/899
COOKING   33421
COOKING_OLD1   0/24719
COOKING_OLD2   0/40862
COOKING_OLD3   0/37489
COOKING_OLD4   0/35496
COOKING_OLD5   9370
C_ECHO   0/189
C_PLUSPLUS   0/31
DIRTY_DOZEN   0/201
DOORGAMES   0/2065
DOS_INTERNET   0/196
duplikat   6002
ECHOLIST   0/18295
EC_SUPPORT   0/318
ELECTRONICS   0/359
ELEKTRONIK.GER   1534
ENET.LINGUISTIC   0/13
ENET.POLITICS   0/4
ENET.SOFT   0/11701
ENET.SYSOP   33945
ENET.TALKS   0/32
ENGLISH_TUTOR   0/2000
EVOLUTION   0/1335
FDECHO   0/217
FDN_ANNOUNCE   0/7068
FIDONEWS   24159
FIDONEWS_OLD1   0/49742
FIDONEWS_OLD2   0/35949
FIDONEWS_OLD3   0/30874
FIDONEWS_OLD4   0/37224
FIDO_SYSOP   12852
FIDO_UTIL   0/180
FILEFIND   0/209
FILEGATE   0/212
FILM   0/18
FNEWS_PUBLISH   4436
FN_SYSOP   41706
FN_SYSOP_OLD1   71952
FTP_FIDO   0/2
FTSC_PUBLIC   0/13613
FUNNY   0/4886
GENEALOGY.EUR   0/71
GET_INFO   105
GOLDED   0/408
HAM   0/16074
HOLYSMOKE   0/6791
HOT_SITES   0/1
HTMLEDIT   0/71
HUB203   466
HUB_100   264
HUB_400   39
HUMOR   0/29
IC   0/2851
INTERNET   0/424
INTERUSER   0/3
IP_CONNECT   719
JAMNNTPD   0/233
JAMTLAND   0/47
KATTY_KORNER   0/41
LAN   0/16
LINUX-USER   0/19
LINUXHELP   0/1155
LINUX   0/22112
LINUX_BBS   0/957
mail   18.68
mail_fore_ok   249
MENSA   0/341
MODERATOR   0/102
MONTE   0/992
MOSCOW_OKLAHOMA   0/1245
MUFFIN   0/783
MUSIC   0/321
N203_STAT   930
N203_SYSCHAT   313
NET203   321
NET204   69
NET_DEV   0/10
NORD.ADMIN   0/101
NORD.CHAT   0/2572
NORD.FIDONET   189
NORD.HARDWARE   0/28
NORD.KULTUR   0/114
NORD.PROG   0/32
NORD.SOFTWARE   0/88
NORD.TEKNIK   0/58
NORD   0/453
OCCULT_CHAT   0/93
OS2BBS   0/787
OS2DOSBBS   0/580
OS2HW   0/42
OS2INET   0/37
OS2LAN   0/134
OS2PROG   0/36
OS2REXX   0/113
OS2USER-L   207
OS2   0/4786
OSDEBATE   0/18996
PASCAL   0/490
PERL   0/457
PHP   0/45
POINTS   0/405
POLITICS   0/29554
POL_INC   0/14731
PSION   103
R20_ADMIN   1123
R20_AMATORRADIO   0/2
R20_BEST_OF_FIDONET   13
R20_CHAT   0/893
R20_DEPP   0/3
R20_DEV   399
R20_ECHO2   1379
R20_ECHOPRES   0/35
R20_ESTAT   0/719
R20_FIDONETPROG...
...RAM.MYPOINT
  0/2
R20_FIDONETPROGRAM   0/22
R20_FIDONET   0/248
R20_FILEFIND   0/24
R20_FILEFOUND   0/22
R20_HIFI   0/3
R20_INFO2   3249
R20_INTERNET   0/12940
R20_INTRESSE   0/60
R20_INTR_KOM   0/99
R20_KANDIDAT.CHAT   42
R20_KANDIDAT   28
R20_KOM_DEV   112
R20_KONTROLL   0/13300
R20_KORSET   0/18
R20_LOKALTRAFIK   0/24
R20_MODERATOR   0/1852
R20_NC   76
R20_NET200   245
R20_NETWORK.OTH...
...ERNETS
  0/13
R20_OPERATIVSYS...
...TEM.LINUX
  0/44
R20_PROGRAMVAROR   0/1
R20_REC2NEC   534
R20_SFOSM   0/341
R20_SF   0/108
R20_SPRAK.ENGLISH   0/1
R20_SQUISH   107
R20_TEST   2
R20_WORST_OF_FIDONET   12
RAR   0/9
RA_MULTI   106
RA_UTIL   0/162
REGCON.EUR   0/2056
REGCON   0/13
SCIENCE   0/1206
SF   0/239
SHAREWARE_SUPPORT   0/5146
SHAREWRE   0/14
SIMPSONS   0/169
STATS_OLD1   0/2539.065
STATS_OLD2   0/2530
STATS_OLD3   0/2395.095
STATS_OLD4   0/1692.25
SURVIVOR   0/495
SYSOPS_CORNER   0/3
SYSOP   0/84
TAGLINES   0/112
TEAMOS2   0/4530
TECH   0/2617
TEST.444   0/105
TRAPDOOR   0/19
TREK   0/755
TUB   0/290
UFO   0/40
UNIX   0/1316
USA_EURLINK   0/102
USR_MODEMS   0/1
VATICAN   0/2740
VIETNAM_VETS   0/14
VIRUS   0/378
VIRUS_INFO   0/201
VISUAL_BASIC   0/473
WHITEHOUSE   0/5187
WIN2000   0/101
WIN32   0/30
WIN95   0/4289
WIN95_OLD1   0/70272
WINDOWS   0/1517
WWB_SYSOP   0/419
WWB_TECH   0/810
ZCC-PUBLIC   0/1
ZEC   4

 
4DOS   0/134
ABORTION   0/7
ALASKA_CHAT   0/506
ALLFIX_FILE   0/1313
ALLFIX_FILE_OLD1   0/7997
ALT_DOS   0/152
AMATEUR_RADIO   0/1039
AMIGASALE   0/14
AMIGA   0/331
AMIGA_INT   0/1
AMIGA_PROG   0/20
AMIGA_SYSOP   0/26
ANIME   0/15
ARGUS   0/924
ASCII_ART   0/340
ASIAN_LINK   0/651
ASTRONOMY   0/417
AUDIO   0/92
AUTOMOBILE_RACING   0/105
BABYLON5   0/17862
BAG   135
BATPOWER   0/361
BBBS.ENGLISH   0/382
BBSLAW   0/109
BBS_ADS   0/5290
BBS_INTERNET   0/507
BIBLE   0/3563
BINKD   0/1119
BINKLEY   0/215
BLUEWAVE   0/2173
CABLE_MODEMS   0/25
CBM   0/46
CDRECORD   0/66
CDROM   0/20
CLASSIC_COMPUTER   0/378
Möte DIRTY_DOZEN, 201 texter
 lista första sista föregående nästa
Text 15, 1223 rader
Skriven 2004-12-12 18:29:00 av KURT WISMER (1:123/140)
Ärende: News, Dec. 12 2004
==========================
[cut-n-paste from sophos.com]

Name   W32/Atak-F

Type  
    * Worm

How it spreads  
    * Email attachments

Affected operating systems  
    * Windows

Side effects  
    * Forges the sender's email address
    * Uses its own emailing engine
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
W32/Atak-F is a Windows worm that spreads via email. W32/Atak-F copies 
itself to a file with a random name in the Windows system folder and 
changes the win.ini file or creates a new registry entry to run 
automatically when Windows starts up.

W32/Atak-F sends itself to email addresses found on the system. The worm 
arrives as a ZIP attachment in an email. The subject line, message text 
and attachment filenames are randomly constructed.

Advanced
W32/Atak-F is a Windows worm that spreads via email. W32/Atak-F copies 
itself to a file with a random name in the Windows system folder. In 
order to run automatically when Windows starts up, on W9x systems 
W32/Atak-F inserts a 'load=' entry under the [windows] section of the 
win.ini file while on NT, W2k and XP systems the worm sets the following 
registry entry:

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
load=

W32/Atak-F sends itself to email addresses found on the system. The worm 
harvests addresses from files with various extensions such as HTM, EML, 
ASP and DBX.
The worm arrives as a ZIP attachment in an email. The subject line, 
message text and attachment filenames are randomly constructed from the 
following building blocks.

The attachment filename is one of

separate_file.zip
textfile.zip
print.zip
note.zip
white_paper.zip
part001.zip.

The Subject line has the format

' Password: 2aff (temporary password)
Please check our website to learn about our features
http://www.microsoft.com .
Your account information has been saved. Please check when needed.

Your sincerely,
microsoft.com Team





Name   Troj/Brabot-A

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Steals information
    * Reduces system security
    * Installs itself in the Registry
    * Leaves non-infected files on computer

Aliases  
    * Backdoor.Win32.Brabot.a
    * W32/Generic.worm!p2p

Prevelance (1-5) 2

Description
Troj/Brabot-A is a backdoor Trojan that accepts commands via IRC.

Advanced
Troj/Brabot-A creates the following registry entry so as to start 
automatically when a user logs on:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
lmloader

Troj/Brabot-A also creates two helper components lEXPLORE.exe and 
pws.exe in the Windows folder.
Pws.exe is a legitimatepassword recovery tool and may be safely deleted.
IEXPLORE.exe is a commandline driven vulnerability scanner and may also 
be safely deleted.





Name   W32/Agobot-NX

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Allows others to access the computer
    * Modifies data on the computer
    * Deletes files off the computer
    * Steals information

Prevalence (1-5) 2

Description
W32/Agobot-NX is an IRC backdoor Trojan and network worm.

W32/Agobot-NX is capable of spreading to computers on the local network 
protected by weak passwords.

When first run, W32/Agobot-NX copies itself to the Windows system folder 
as bmsvc32.exe.

W32/Agobot-NX runs continuously in the background providing backdoor 
access to the computer through IRC channels.

W32/Agobot-NX attempts to terminate and disable various anti-virus and 
security related programs and modifies the HOSTS file located at
%WINDOWS%\System32\Drivers\etc\HOSTS, mapping selected anti-virus 
websites to the loopback address 127.0.0.1 in an attempt to prevent 
access to these sites.

Advanced
W32/Agobot-NX is an IRC backdoor Trojan and network worm.

W32/Agobot-NX is capable of spreading to computers on the local network 
protected by weak passwords.

When first run, W32/Agobot-NX copies itself to the Windows system folder 
as bmsvc32.exe and creates the following registry entries to run itself 
on startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Bmsvc32 = "bmsvc32.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Bmsvc32 = "bmsvc32.exe"

The worm also sets or modifies the following registry entry:
HKCR\.key\
@="regfile"

W32/Agobot-NX runs continuously in the background providing backdoor 
access to the computer through IRC channels.

W32/Agobot-NX attempts to terminate and disable various anti-virus and 
security related programs and modifies the HOSTS file located at
%WINDOWS%\System32\Drivers\etc\HOSTS, mapping selected anti-virus 
websites to the loopback address 127.0.0.1 in an attempt to prevent 
access to these sites. Typically the following mappings will be appended 
to the HOSTS file:

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com





Name   W32/Bagle-AA

Type  
    * Worm

Aliases  
    * Win32/Bagle.AB
    * WORM_BAGLE.Z
    * I-Worm.Bagle.z

Prevalence (1-5) 4

Description
W32/Bagle-AA is an email aware worm, and a member of the W32/Bagle 
family of worms.

When first run W32/Bagle-AA will display a fake error message containing 
the text "Can't find a viewer associated with the file".

W32/Bagle-AA copies itself to the Windows system folder with the 
filename drvddll.exe and then runs the worm from that location.

The email sent by the worm may use one of the following subject lines:

Re: Msg reply
Re: Hello
Re: Yahoo!
Re: Thank you!
Re: Thanks :)
RE: Text message
Re: Document
Incoming message
Re: Incoming Message
RE: Incoming Msg
RE: Message Notify
Notification
Changes..
New changes
Hidden message
Fax Message Received
Protected message
RE: Protected message
Forum notify
Site changes
Re: Hi
Encrypted document

The attachment sent by the worm may carry an EXE, SCR, COM, ZIP, VBS, 
HTA or CPL extension.

The following registry entry is created so that the worm is run when a 
user logs on to Windows:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
drvddll.exe = drvddll.exe

W32/Bagle-AA scans all fixed drives recursively for WAB, TXT, MSG, HTM, 
SHTM, STM, XML, DBX, MBX, MDX, EML, NCH, MMF, ODS, CFG, ASP, PHP, PL, 
WSH, ADB, TBB, SHT, XLS, OFT, UIN, CGI, MHT, DHTM and JSP files, 
extracts email addresses from them and uses those addresses for the mass 
mailing component of the worm.

The worm will create copies of itself with the following filenames in 
folders that contain the string "shar" in their name:

Microsoft Office 2003 Crack, Working!.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Microsoft Office XP working Crack, Keygen.exe
Porno, sex, oral, anal cool, awesome!!.exe
Porno Screensaver.scr
Serials.txt.exe
KAV 5.0
Kaspersky Antivirus 5.0
Porno pics arhive, xxx.exe
Windows Sourcecode update.doc.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe

W32/Bagle-AA attempts to terminate any of the following processes:

OUTPOST.EXE
NMAIN.EXE
NORTON_INTERNET_SECU_3.0_407.EXE
NPF40_TW_98_NT_ME_2K.EXE
NPFMESSENGER.EXE
NPROTECT.EXE
NSCHED32.EXE
NTVDM.EXE
NVARCH16.EXE
KERIO-WRP-421-EN-WIN.EXE
KILLPROCESSSETUP161.EXE
LDPRO.EXE
LOCALNET.EXE
LOCKDOWN.EXE
LOCKDOWN2000.EXE
LSETUP.EXE
CLEANPC.EXE
AVprotect9x.exe
CMGRDIAN.EXE
CMON016.EXE
CPF9X206.EXE
CPFNT206.EXE
CV.EXE
CWNB181.EXE
CWNTDWMO.EXE
ICSSUPPNT.EXE
DEFWATCH.EXE
DEPUTY.EXE
DPF.EXE
DPFSETUP.EXE
DRWATSON.EXE
ENT.EXE
ESCANH95.EXE
AVXQUAR.EXE
ESCANHNT.EXE
ESCANV95.EXE
AVPUPD.EXE
EXANTIVIRUS-CNET.EXE
FAST.EXE
FIREWALL.EXE
FLOWPROTECTOR.EXE
FP-WIN_TRIAL.EXE
FRW.EXE
FSAV.EXE
AUTODOWN.EXE
FSAV530STBYB.EXE
FSAV530WTBYB.EXE
FSAV95.EXE
GBMENU.EXE
GBPOLL.EXE
GUARD.EXE
GUARDDOG.EXE
HACKTRACERSETUP.EXE
HTLOG.EXE
HWPE.EXE
IAMAPP.EXE
IAMAPP.EXE
IAMSERV.EXE
ICLOAD95.EXE
ICLOADNT.EXE
ICMON.EXE
ICSUPP95.EXE
ICSUPPNT.EXE
IFW2000.EXE
IPARMOR.EXE
IRIS.EXE
JAMMER.EXE
ATUPDATER.EXE
AUPDATE.EXE
KAVLITE40ENG.EXE
KAVPERS40ENG.EXE
KERIO-PF-213-EN-WIN.EXE
KERIO-WRL-421-EN-WIN.EXE
BORG2.EXE
BS120.EXE
CDP.EXE
CFGWIZ.EXE
CFIADMIN.EXE
CFIAUDIT.EXE
AUTOUPDATE.EXE
CFINET.EXE
NAVAPW32.EXE
NAVDX.EXE
NAVSTUB.EXE
NAVW32.EXE
NC2000.EXE
NCINST4.EXE
AUTOTRACE.EXE
NDD32.EXE
NEOMONITOR.EXE
NETARMOR.EXE
NETINFO.EXE
NETMON.EXE
NETSCANPRO.EXE
NETSPYHUNTER-1.2.EXE
NETSTAT.EXE
NISSERV.EXE
NISUM.EXE
CFIAUDIT.EXE
LUCOMSERVER.EXE
AGENTSVR.EXE
ANTI-TROJAN.EXE
ANTI-TROJAN.EXE
ANTIVIRUS.EXE
ANTS.EXE
APIMONITOR.EXE
APLICA32.EXE
APVXDWIN.EXE
ATCON.EXE
ATGUARD.EXE
ATRO55EN.EXE
ATWATCH.EXE
AVCONSOL.EXE
AVGSERV9.EXE
AVSYNMGR.EXE
BD_PROFESSIONAL.EXE
BIDEF.EXE
BIDSERVER.EXE
BIPCP.EXE
BIPCPEVALSETUP.EXE
BISP.EXE
BLACKD.EXE
BLACKICE.EXE
BOOTWARN.EXE
NWINST4.EXE
NWTOOL16.EXE
OSTRONET.EXE
OUTPOSTINSTALL.EXE
OUTPOSTPROINSTALL.EXE
PADMIN.EXE
PANIXK.EXE
PAVPROXY.EXE
DRWEBUPW.EXE
PCC2002S902.EXE
PCC2K_76_1436.EXE
PCCIOMON.EXE
PCDSETUP.EXE
PCFWALLICON.EXE
PCFWALLICON.EXE
PCIP10117_0.EXE
PDSETUP.EXE
PERISCOPE.EXE
PERSFW.EXE
PF2.EXE
AVLTMAIN.EXE
PFWADMIN.EXE
PINGSCAN.EXE
PLATIN.EXE
POPROXY.EXE
POPSCAN.EXE
PORTDETECTIVE.EXE
PPINUPDT.EXE
drvsys.exe
PPTBC.EXE
PPVSTOP.EXE
PROCEXPLORERV1.0.EXE
PROPORT.EXE
PROTECTX.EXE
PSPF.EXE
WGFE95.EXE
WHOSWATCHINGME.EXE
AVWUPD32.EXE
NUPGRADE.EXE
WHOSWATCHINGME.EXE
WINRECON.EXE
WNT.EXE
WRADMIN.EXE
WRCTRL.EXE
WSBGATE.EXE
WYVERNWORKSFIREWALL.EXE
XPF202EN.EXE
ZAPRO.EXE
ZAPSETUP3001.EXE
ZATUTOR.EXE
CFINET32.EXE
CLEAN.EXE
CLEANER.EXE
CLEANER3.EXE
CLEANPC.EXE
CMGRDIAN.EXE
CMON016.EXE
CPD.EXE
CFGWIZ.EXE
CFIADMIN.EXE
PURGE.EXE
PVIEW95.EXE
QCONSOLE.EXE
QSERVER.EXE
RAV8WIN32ENG.EXE
REGEDT32.EXE
REGEDIT.EXE
UPDATE.EXE
RESCUE.EXE
RESCUE32.EXE
RRGUARD.EXE
RSHELL.EXE
RTVSCN95.EXE
RULAUNCH.EXE
SAFEWEB.EXE
SBSERV.EXE
SD.EXE
SETUP_FLOWPROTECTOR_US.EXE
SETUPVAMEEVAL.EXE
SFC.EXE
SGSSFW32.EXE
SH.EXE
SHELLSPYINSTALL.EXE
SHN.EXE
SMC.EXE
SOFI.EXE
SPF.EXE
SPHINX.EXE
SPYXX.EXE
SS3EDIT.EXE
ST2.EXE
SUPFTRL.EXE
LUALL.EXE
SUPPORTER5.EXE
SYMPROXYSVC.EXE
SYSEDIT.EXE
TASKMON.EXE
TAUMON.EXE
TAUSCAN.EXE
TC.EXE
TCA.EXE
TCM.EXE
TDS2-98.EXE
TDS2-NT.EXE
TDS-3.EXE
TFAK5.EXE
TGBOB.EXE
TITANIN.EXE
TITANINXP.EXE
TRACERT.EXE
TRJSCAN.EXE
TRJSETUP.EXE
TROJANTRAP3.EXE
UNDOBOOT.EXE
VBCMSERV.EXE
VBCONS.EXE
VBUST.EXE
VBWIN9X.EXE
VBWINNTW.EXE
VCSETUP.EXE
VFSETUP.EXE
VIRUSMDPERSONALFIREWALL.EXE
VNLAN300.EXE
VNPC3000.EXE
VPC42.EXE
VPFW30S.EXE
VPTRAY.EXE
VSCENU6.02D30.EXE
VSECOMR.EXE
VSHWIN32.EXE
VSISETUP.EXE
VSMAIN.EXE
VSMON.EXE
VSSTAT.EXE
VSWIN9XE.EXE
VSWINNTSE.EXE
VSWINPERSE.EXE
W32DSM89.EXE
W9X.EXE
WATCHDOG.EXE
WEBSCANX.EXE
CFIAUDIT.EXE
CFINET.EXE
ICSUPP95.EXE
MCUPDATE.EXE
CFINET32.EXE
CLEAN.EXE
CLEANER.EXE
LUINIT.EXE
MCAGENT.EXE
MCUPDATE.EXE
MFW2EN.EXE
MFWENG3.02D30.EXE
MGUI.EXE
MINILOG.EXE
MOOLIVE.EXE
MRFLUX.EXE
MSCONFIG.EXE
MSINFO32.EXE
MSSMMC32.EXE
MU0311AD.EXE
NAV80TRY.EXE
ZAUINST.EXE
ZONALM2601.EXE
ZONEALARM.EXE





Name   W32/Bagle-Zip

Type  
    * Worm

Aliases  
    * Win32/Bagle.gen.zip

Prevalence (1-5) 4

Description
Sophos Anti-Virus detects as W32/Bagle-Zip the password-protected 
archive files created by W32/Bagle-F, W32/Bagle-G, W32/Bagle-H, 
W32/Bagle-I, W32/Bagle-J, W32/Bagle-K (ZIP archives), W32/Bagle-N, 
W32/Bagle-O (ZIP and RAR archives), W32/Bagle-W, W32/Bagle-AA , 
W32/Bagle-AF and W32/Bagle-AG.





Name   W32/Setclo-A

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Installs itself in the Registry

Aliases  
    * W32/Setclo.worm
    * Win32/VB.IL
    * Worm.Automat.AHO

Prevalence (1-5) 2

Description
W32/Setclo-A is a network worm for the Windows platform.

W32/Setclo-A will spread by attempting to copy itself to drives on the 
local computer and to open network shares. The worm will copy itself 
with a filename of SETUP.EXE.

Advanced
W32/Setclo-A is a network worm for the Windows platform.

W32/Setclo-A will spread by attempting to copy itself to drives on the 
local computer and to open network shares. The worm will copy itself 
with a filename of SETUP.EXE.

In order to run automatically each time the network share or local drive 
is opened, W32/Setclo-A will create a file named AUTORUN.INF in the root 
folder of the drive or share. The file will have the following contents:

[autorun]
open=setup.exe

This AUTORUN.INF file can be safely deleted.

In order to run automatically each time a user logs on, W32/Setclo-A 
will set the following registry entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
svchost
<path to worm>





Name   W32/Anig-C

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Records keystrokes
    * Installs itself in the Registry

Aliases  
    * W32.HLLW.Anig
    * W32/Anig.worm.gen

Prevalence (1-5) 3

Description
W32/Anig-C is a worm that can spread by copying itself over network 
shares.

W32/Anig-C can also be used to steal passwords.

W32/Anig-C attempts to spread by copying itself to the share ADMIN$ on 
remote computers.

W32/Anig-C may drop a DLL file with keylogging functionality called 
GinaDLL.DLL and open port 5190 in order to receive remote commands.

Advanced
W32/Anig-C is a worm that can spread by copying itself over network 
shares.

W32/Anig-C can also be used to steal passwords.

W32/Anig-C copies itself to <Windows>\System32 using its original 
filename and creates the following registry entry in order to run on 
system restart:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Osa32

W32/Anig-C attempts to spread by copying itself to the share ADMIN$ on 
remote computers.

W32/Anig-C may drop a DLL file with keylogging functionality called 
GinaDLL.DLL and open port 5190 in order to receive remote commands.

On NT based versions of Windows, W32/Anig-C registers itself as a 
service called <filename> with the display name Distributed File 
Controller. The new service has a Startup type of automatic so that the 
service is started automatically each time a new Windows session is 
started. New registry entries are created beneath the following registry 
entry:

HKLM\System\CurrentControlSet\Services\dfcsvc

W32/Anig-C may also create the following registry entry:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
GinaDll
ntgina.dll





Name   W32/Rbot-RJ

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Allows others to access the computer
    * Reduces system security
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
W32/Rbot-RJ is a worm which attempts to spread to remote network shares. 
The worm also contains backdoor Trojan functionality, allowing 
unauthorised remote access to the infected computer via IRC channels.

W32/Rbot-RJ may prevent access to some anti-virus websites and may
terminate some anti-virus and security software.

Advanced
W32/Rbot-RJ is a worm which attempts to spread to remote network shares. 
The worm also contains backdoor Trojan functionality, allowing 
unauthorised remote access to the infected computer via IRC channels 
while running in the background as a service process.

W32/Rbot-RJ may spread to network shares with weak passwords and via 
network security exploits.

W32/Rbot-RJ worm copies itself to the Windows system folder as a random 
four letter name with an EXE extension. The worm then sets the following 
registry entries to ensure it is run on startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Daemons Updates Services

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Daemons Updates Services

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Daemons Updates Services

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices\
Daemons Updates Services

Each entry is set to the generated random name.

W32/Rbot-RJ may set the following registry entries, again often 
resetting them at regular intervals:

HKLM\SOFTWARE\Microsoft\Ole\
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
restrictanonymous
1

W32/Rbot-RJ may periodically set all the above values to these new 
values.

W32/Rbot-RJ may also attempt to terminate certain processes relating to 
anti-virus, security and system programs, such as:

SWEEP95.EXE
BLACKICE.EXE
DRWATSON.EXE
REGEDIT.EXE
SCAN95.EXE
F-PROT95.EXE
AVP.EXE

W32/Rbot-RJ may also update the file

<system>\drivers\etc\host

appending entries such as

127.0.0.1 www.sophos.com

in order to prevent the machine contacting various anti-virus websites, 
including:

www.sophos.com
www.symantec.com
www.mcafee.com
www.kaspersky.com
www.avp.com





Name   W32/Maslan-C

Type  
    * Worm

How it spreads  
    * Email attachments
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Sends itself to email addresses found on the infected computer
    * Drops more malware
    * Uses its own emailing engine
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Aliases  
    * Net-Worm.Win32.Maslan.b

Prevalence (1-5) 2

Description
W32/Maslan-C is a worm which spreads by emailing itself to addresses 
found on the infected computer.

The worm also spreads to network shares with weak passwords and to 
computers vulnerable to the LSASS exploit (MS04-011) and RPC-DCOM 
exploit (MS03-039).

W32/Maslan-C copies existing executable files on the computer to a new 
location called "___b" and places copies of the worm where the original 
files used to be.

Advanced
W32/Maslan-C is a worm which spreads by emailing itself to addresses 
found on the infected computer.

The worm also spreads to network shares with weak passwords and to 
computers vulnerable to the LSASS exploit (MS04-011) and RPC-DCOM 
exploit (MS03-039).

W32/Maslan-C copies itself to the Windows system folder and creates a 
number of other files on the computer which make up the components of 
the worm. W32/Maslan-C also installs the W32/Sdbot-RW worm onto the 
computer.

W32/Maslan-C creates the following registry entry to run itself 
automatically on log-on:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Windows DHCP
C:\WINDOWS\System32\___r.exe

W32/Maslan-C copies existing executable files on the computer to a new 
location called "___b" and places copies of the worm where the original 
files used to be.

W32/Maslan-C sends emails with the following characteristics:

Subject Line:

123

File attachment:

Playgirls2.exe

Message Body:

Hello <random name>,

--Best regards,
<random sender name>

On the first of the month W32/Maslan-C attacks the following websites:

kavkazcenter.com
kavkazcenter.net
kavkazcenter.info
kavkaz.uk.com
kavkaz.org.uk
kavkaz.tv
chechenpress.com
chechenpress.info





Name   Troj/Banker-BG

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Steals credit card details
    * Steals information
    * Records keystrokes
    * Installs itself in the Registry

Aliases  
    * PWS-Bancban.gen.b
    * TrojanSpy.Win32.Banbra.q

Prevalence (1-5) 2

Description
Troj/Banker-BG is a password stealing Trojan aimed at customers of 
Brazilian banks.

Troj/Banker-BG will monitor a user's internet access. When certain 
internet banking sites are visited, the Trojan will display a fake login 
screen in order to trick the user into inputting their details.

Troj/Banker-BG will then send the stolen details to a Brazilian email 
address.

Advanced
Troj/Banker-BG is a password stealing Trojan aimed at customers of 
Brazilian banks.

Troj/Banker-BG will monitor a user's internet access. When certain 
internet banking sites are visited, the Trojan will display a fake login 
screen in order to trick the user into inputting their details.

Troj/Banker-BG will then send the stolen details to a Brazilian email 
address.

In order to run automatically each time a user logs in, Troj/Banker-BG 
will set the following registry entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
<Trojan filename without extension>
<path to Trojan>





Name   W32/Rbot-RF

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Downloads code from the internet
    * Reduces system security
    * Records keystrokes
    * Installs itself in the Registry

Aliases  
    * Backdoor.Win32.Rbot.gen
    * W32/Sdbot.worm.gen.j
    * WORM_SPYBOT.HF

Prevalence (1-5) 2

Description
W32/Rbot-RF is a network worm and IRC backdoor Trojan for the Windows 
platform.

W32/Rbot-RF spreads using a variety of techniques including exploiting 
weak passwords on computers and SQL servers, exploiting operating system 
vulnerabilities (including DCOM-RPC, LSASS, WebDAV and UPNP) and using 
backdoors opened by other worms or Trojans.

W32/Rbot-RF can be controlled by a remote attacker over IRC channels. 
The backdoor component of W32/Rbot-RF can be instructed by a remote user 
to perform the following functions:

start an FTP server
start a Proxy server
start a web server
take part in distributed denial of service (DDoS) attacks
log keypresses
capture screen/webcam images
packet sniffing
port scanning
download/execute arbitrary files
start a remote shell (RLOGIN)

Advanced
W32/Rbot-RF is a network worm and IRC backdoor Trojan for the Windows 
platform.

W32/Rbot-RF spreads using a variety of techniques including exploiting 
weak passwords on computers and SQL servers, exploiting operating system 
vulnerabilities (including DCOM-RPC, LSASS, WebDAV and UPNP) and using 
backdoors opened by other worms or Trojans.

W32/Rbot-RF can be controlled by a remote attacker over IRC channels. 
The backdoor component of W32/Rbot-RF can be instructed by a remote user 
to perform the following functions:

start an FTP server
start a Proxy server
start a web server
take part in distributed denial of service (DDoS) attacks
log keypresses
capture screen/webcam images
packet sniffing
port scanning
download/execute arbitrary files
start a remote shell (RLOGIN)

The worm copies itself to a file named WindowsSP.exe in the Windows 
system folder and creates the following registry entries:

HKCU\Software\Microsoft\OLE
Microsoft Service Pack
"WindowsSP.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Service Pack
"WindowsSP.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft Service Pack
"WindowsSP.exe"

Patches for the operating system vulnerabilities exploited by 
W32/Rbot-RF can be obtained from Microsoft at:

http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
http://www.microsoft.com/technet/security/bulletin/ms03-039.mspx
http://www.microsoft.com/technet/security/bulletin/ms03-007.mspx
http://www.microsoft.com/technet/security/bulletin/ms01-059.mspx





Name   Troj/Agent-BF

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet
    * Installs itself in the Registry

Aliases  
    * Trojan-Downloader.Win32.Agent.ea

Prevalence (1-5) 2

Description
Troj/Agent-BF is a downloading Trojan for the Windows platform that 
attempts to download and run a program from a remote location.

Troj/Agent-BF attempts to download and execute a file named 
_tmpbf07a.exe from a predefined remote location.

Advanced
Troj/Agent-BF copies itself to the Windows system with a random filename 
and in order to be able to run automatically when a user logs on starts 
up sets the following registry entry with the path to the copy:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\

Troj/Agent-BF also sets following registry entries :

HKLM\Software\Microsoft\Windows\CurrentVersion\
ShellRegId
<random name>

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
<random name>
<random name>.exe





Name   W32/Rbot-RE

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Allows others to access the computer
    * Steals information
    * Downloads code from the internet
    * Reduces system security
    * Modifies passwords

Aliases  
    * Win32.Rbot.gen

Prevalence (1-5) 2

Description
W32/Rbot-RE is an IRC backdoor Trojan and network worm.

W32/Rbot-RE may spread to remote network shares protected by weak 
passwords and computers vulnerable to common exploits. The worm also 
opens up a backdoor, allowing unauthorised remote access to infected 
computers via the IRC network.

W32/Rbot-RE can receive commands from a remote intruder to delete 
network shares, log keypresses, participate in DDoS attacks, scan other 
computers for vulnerabilities, steal passwords, steal registration keys 
for computer games, create administrator accounts, terminate firewall 
and anti-virus processes and capture video from webcameras attached to 
the computer.

Advanced
W32/Rbot-RE is an IRC backdoor Trojan and network worm.

W32/Rbot-RE may spread to remote network shares protected by weak 
passwords and computers vulnerable to common exploits. The worm also 
opens up a backdoor, allowing unauthorised remote access to infected 
computers via the IRC network, while running in the background as a 
service process.

W32/Rbot-RE can receive commands from a remote intruder to delete 
network shares, log keypresses, participate in DDoS attacks, scan other 
computers for vulnerabilities, steal passwords, steal registration keys 
for computer games, create administrator accounts, terminate firewall 
and anti-virus processes and capture video from webcameras attached to 
the computer.

W32/Rbot-RE copies itself to the Windows system folder and creates the 
following registry entries to run automatically on log-on:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Secure Messaging System
msnmsgrsrvc.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Windows Secure Messaging System
msnmsgrsrvc.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Secure Messaging System
msnmsgrsrvc.exe

In addition, W32/Rbot-RE also attempts to alter the following registry 
entries, if they are not already set:

HKLM\SOFTWARE\Microsoft\Ole\
EnableDCOM
"N"

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
restrictanonymous
1

 
--- MultiMail/Win32 v0.43
 * Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)