Tillbaka till svenska Fidonet
English   Information   Debug  
COMICS   0/15
CONSPRCY   0/899
COOKING   33420
COOKING_OLD1   0/24719
COOKING_OLD2   0/40862
COOKING_OLD3   0/37489
COOKING_OLD4   0/35496
COOKING_OLD5   9370
C_ECHO   0/189
C_PLUSPLUS   0/31
DIRTY_DOZEN   0/201
DOORGAMES   0/2065
DOS_INTERNET   0/196
duplikat   6002
ECHOLIST   0/18295
EC_SUPPORT   0/318
ELECTRONICS   0/359
ELEKTRONIK.GER   1534
ENET.LINGUISTIC   0/13
ENET.POLITICS   0/4
ENET.SOFT   0/11701
ENET.SYSOP   33945
ENET.TALKS   0/32
ENGLISH_TUTOR   0/2000
EVOLUTION   0/1335
FDECHO   0/217
FDN_ANNOUNCE   0/7068
FIDONEWS   24159
FIDONEWS_OLD1   0/49742
FIDONEWS_OLD2   0/35949
FIDONEWS_OLD3   0/30874
FIDONEWS_OLD4   0/37224
FIDO_SYSOP   12852
FIDO_UTIL   0/180
FILEFIND   0/209
FILEGATE   0/212
FILM   0/18
FNEWS_PUBLISH   4436
FN_SYSOP   41705
FN_SYSOP_OLD1   71952
FTP_FIDO   0/2
FTSC_PUBLIC   0/13611
FUNNY   0/4886
GENEALOGY.EUR   0/71
GET_INFO   105
GOLDED   0/408
HAM   0/16074
HOLYSMOKE   0/6791
HOT_SITES   0/1
HTMLEDIT   0/71
HUB203   466
HUB_100   264
HUB_400   39
HUMOR   0/29
IC   0/2851
INTERNET   0/424
INTERUSER   0/3
IP_CONNECT   719
JAMNNTPD   0/233
JAMTLAND   0/47
KATTY_KORNER   0/41
LAN   0/16
LINUX-USER   0/19
LINUXHELP   0/1155
LINUX   0/22112
LINUX_BBS   0/957
mail   18.68
mail_fore_ok   249
MENSA   0/341
MODERATOR   0/102
MONTE   0/992
MOSCOW_OKLAHOMA   0/1245
MUFFIN   0/783
MUSIC   0/321
N203_STAT   930
N203_SYSCHAT   313
NET203   321
NET204   69
NET_DEV   0/10
NORD.ADMIN   0/101
NORD.CHAT   0/2572
NORD.FIDONET   189
NORD.HARDWARE   0/28
NORD.KULTUR   0/114
NORD.PROG   0/32
NORD.SOFTWARE   0/88
NORD.TEKNIK   0/58
NORD   0/453
OCCULT_CHAT   0/93
OS2BBS   0/787
OS2DOSBBS   0/580
OS2HW   0/42
OS2INET   0/37
OS2LAN   0/134
OS2PROG   0/36
OS2REXX   0/113
OS2USER-L   207
OS2   0/4786
OSDEBATE   0/18996
PASCAL   0/490
PERL   0/457
PHP   0/45
POINTS   0/405
POLITICS   0/29554
POL_INC   0/14731
PSION   103
R20_ADMIN   1123
R20_AMATORRADIO   0/2
R20_BEST_OF_FIDONET   13
R20_CHAT   0/893
R20_DEPP   0/3
R20_DEV   399
R20_ECHO2   1379
R20_ECHOPRES   0/35
R20_ESTAT   0/719
R20_FIDONETPROG...
...RAM.MYPOINT
  0/2
R20_FIDONETPROGRAM   0/22
R20_FIDONET   0/248
R20_FILEFIND   0/24
R20_FILEFOUND   0/22
R20_HIFI   0/3
R20_INFO2   3249
R20_INTERNET   0/12940
R20_INTRESSE   0/60
R20_INTR_KOM   0/99
R20_KANDIDAT.CHAT   42
R20_KANDIDAT   28
R20_KOM_DEV   112
R20_KONTROLL   0/13299
R20_KORSET   0/18
R20_LOKALTRAFIK   0/24
R20_MODERATOR   0/1852
R20_NC   76
R20_NET200   245
R20_NETWORK.OTH...
...ERNETS
  0/13
R20_OPERATIVSYS...
...TEM.LINUX
  0/44
R20_PROGRAMVAROR   0/1
R20_REC2NEC   534
R20_SFOSM   0/341
R20_SF   0/108
R20_SPRAK.ENGLISH   0/1
R20_SQUISH   107
R20_TEST   2
R20_WORST_OF_FIDONET   12
RAR   0/9
RA_MULTI   106
RA_UTIL   0/162
REGCON.EUR   0/2056
REGCON   0/13
SCIENCE   0/1206
SF   0/239
SHAREWARE_SUPPORT   0/5146
SHAREWRE   0/14
SIMPSONS   0/169
STATS_OLD1   0/2539.065
STATS_OLD2   0/2530
STATS_OLD3   0/2395.095
STATS_OLD4   0/1692.25
SURVIVOR   0/495
SYSOPS_CORNER   0/3
SYSOP   0/84
TAGLINES   0/112
TEAMOS2   0/4530
TECH   0/2617
TEST.444   0/105
TRAPDOOR   0/19
TREK   0/755
TUB   0/290
UFO   0/40
UNIX   0/1316
USA_EURLINK   0/102
USR_MODEMS   0/1
VATICAN   0/2740
VIETNAM_VETS   0/14
VIRUS   0/378
VIRUS_INFO   0/201
VISUAL_BASIC   0/473
WHITEHOUSE   0/5187
WIN2000   0/101
WIN32   0/30
WIN95   0/4289
WIN95_OLD1   0/70272
WINDOWS   0/1517
WWB_SYSOP   0/419
WWB_TECH   0/810
ZCC-PUBLIC   0/1
ZEC   4

 
4DOS   0/134
ABORTION   0/7
ALASKA_CHAT   0/506
ALLFIX_FILE   0/1313
ALLFIX_FILE_OLD1   0/7997
ALT_DOS   0/152
AMATEUR_RADIO   0/1039
AMIGASALE   0/14
AMIGA   0/331
AMIGA_INT   0/1
AMIGA_PROG   0/20
AMIGA_SYSOP   0/26
ANIME   0/15
ARGUS   0/924
ASCII_ART   0/340
ASIAN_LINK   0/651
ASTRONOMY   0/417
AUDIO   0/92
AUTOMOBILE_RACING   0/105
BABYLON5   0/17862
BAG   135
BATPOWER   0/361
BBBS.ENGLISH   0/382
BBSLAW   0/109
BBS_ADS   0/5290
BBS_INTERNET   0/507
BIBLE   0/3563
BINKD   0/1119
BINKLEY   0/215
BLUEWAVE   0/2173
CABLE_MODEMS   0/25
CBM   0/46
CDRECORD   0/66
CDROM   0/20
CLASSIC_COMPUTER   0/378
Möte DIRTY_DOZEN, 201 texter
 lista första sista föregående nästa
Text 153, 1196 rader
Skriven 2006-11-25 12:53:00 av KURT WISMER (1:123/140)
Ärende: News, November 25 2006
==============================
[cut-n-paste from sophos.com]

Name   W32/Rbot-FWL

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Downloads code from the internet
    * Reduces system security
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Aliases  
    * Backdoor.Win32.Rbot.adf
    * a variant of Win32/Rbot
    * W32.Spybot.Worm
    * WORM_RBOT.CG

Prevalence (1-5) 2

Description
W32/Rbot-FWL is a worm with IRC backdoor functionality for the 
Windows platform.

W32/Rbot-FWL spreads
- to computers vulnerable to common exploits, including: WKS 
(MS03-049) and
ASN.1 (MS04-007)
- to MSSQL servers protected by weak passwords
- to network shares protected by weak passwords

W32/Rbot-FWL runs continuously in the background, providing a 
backdoor server
which allows a remote intruder to gain access and control over the 
computer via
IRC channels.

W32/Rbot-FWL modifies the HOSTS file, appended lines to prevent 
access to
certain websites.

Advanced
W32/Rbot-FWL is a worm with IRC backdoor functionality for the 
Windows platform.

W32/Rbot-FWL spreads
- to computers vulnerable to common exploits, including: WKS 
(MS03-049) and
ASN.1 (MS04-007)
- to MSSQL servers protected by weak passwords
- to network shares protected by weak passwords

W32/Rbot-FWL runs continuously in the background, providing a 
backdoor server
which allows a remote intruder to gain access and control over the 
computer via
IRC channels.

When first run W32/Rbot-FWL copies itself to &ltSystem>\atigfx.exe.

The following registry entries are created to run atigfx.exe on 
startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ATI Video Driver Control
atigfx.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ATI Video Driver Control
atigfx.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
ATI Video Driver Control
atigfx.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
ATI Video Driver Control
atigfx.exe

Registry entries are set as follows:

HKCU\SYSTEM\CurrentControlSet\Control\Lsa
ATI Video Driver Control
atigfx.exe

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
ATI Video Driver Control
atigfx.exe

HKCU\Software\Microsoft\OLE
ATI Video Driver Control
atigfx.exe

HKLM\SOFTWARE\Microsoft\Ole
ATI Video Driver Control
atigfx.exe





Name   Troj/Nebuler-M

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Steals information
    * Installs itself in the Registry

Aliases  
    * Trojan-Dropper.Win32.Small.aua
    * Win32/Agent.NEQ
    * TROJ_SMALL.DSN

Prevalence (1-5) 2

Description
Troj/Nebuler-M is a Trojan for the Windows platform.

Troj/Nebuler-M gathers details relating to dialup services and sends 
collected information to a remote site via HTTP.

Advanced
Troj/Nebuler-M is a Trojan for the Windows platform.

Troj/Nebuler-M gathers details relating to dialup services and sends 
collected information to a remote site via HTTP.

The Trojan may inject code into other processes in an attempt to 
remain hidden.

When Troj/Nebuler-M is installed the following files are created:

<System>\win<xxx>32.dll

Where <xxx> are random letters.

The file win<xxx>32.dll is detected as Troj/Nebule-Gen.

The following registry entries are created to run code exported by 
win<xxx>32.dll on startup:

HKLM\SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\Winlogon\Notify\win<xxx>32
DllName
win<xxx>32.dll

HKLM\SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\Winlogon\Notify\win<xxx>32
Impersonate
0

HKLM\SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\Winlogon\Notify\win<xxx>32
Startup
EvtStartup

Registry entries are created under:

HKLM\SOFTWARE\Microsoft\MSSMGR\





Name   W32/Rbot-FWM

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Installs itself in the Registry

Aliases  
    * Backdoor.Win32.SdBot.awk

Prevalence (1-5) 2

Description
W32/Rbot-FWM is a worm with IRC backdoor functionality for the 
Windows platform.

W32/Rbot-FWM runs continuously in the background, providing a 
backdoor server
which allows a remote intruder to gain access and control over the 
computer via
IRC channels.

Advanced
W32/Rbot-FWM is a worm with IRC backdoor functionality for the 
Windows platform.

W32/Rbot-FWM runs continuously in the background, providing a 
backdoor server
which allows a remote intruder to gain access and control over the 
computer via
IRC channels.

When first run W32/Rbot-FWM copies itself to &ltSystem>\svcchost.exe.

The following registry entries are created to run svcchost.exe on 
startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
msvcc25
svcchost.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
msvcc25
svcchost.exe

Registry entries are set as follows:

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1





Name   Troj/Clagger-AK

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet
    * Reduces system security

Prevalence (1-5) 2

Description
Troj/Clagger-AK is a Trojan for the Windows platform.

Troj/Clagger-AK includes functionality to download, install and run 
new software.

Advanced
Troj/Clagger-AK is a Trojan for the Windows platform.

Troj/Clagger-AK includes functionality to download, install and run 
new software.

Troj/Clagger-AK attempts to download files to the following locations:

<Windows>\1.exe
<Windows>\chii.exe
<Windows>\zupacha.exe

The following registry entry is set, affecting internet security:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
FiREWaLLpolicy\StAnDaRDPrOFiLe\AUtHorizedapplications\List\
<original filename>
<pathname of the Trojan executable>:*:ENABLED:0





Name   W32/Looked-AX

Type  
    * Virus

How it spreads  
    * Network shares
    * Infected files

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Downloads code from the internet
    * Installs itself in the Registry
    * Leaves non-infected files on computer

Prevalence (1-5) 2

Description
W32/Looked-AX is a virus which can also spread via network shares.

W32/Looked-AX runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer.

Advanced
W32/Looked-AX is a virus which can also spread via network shares.

W32/Looked-AX runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer.

W32/Looked-AX includes functionality to access the internet and 
communicate with a remote server via HTTP.

When run W32/Looked-AX copies itself to 
<Windows>\uninstall\rundl132.exe and creates the following files:

<Windows>\Dll.dll

Dll.dll is also detected as W32/Looked-AX.

The following registry entry is created to run rundl132.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
load
<Windows>\uninstall\rundl132.exe

Registry entries are created under:

HKLM\SOFTWARE\Soft\DownloadWWW\





Name   Troj/Vixup-BZ

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet
    * Reduces system security
    * Installs itself in the Registry

Aliases  
    * Trojan-Downloader.Win32.Tibs.ir
    * Win32/TrojanDownloader.Small.AWA
    * Trojan.Galapoper.A
    * TROJ_TIBS.OS

Prevalence (1-5) 2

Description
Troj/Vixup-BZ is a Trojan for the Windows platform.

Troj/Vixup-BZ includes functionality to download and run further 
executable code.

Advanced
Troj/Vixup-BZ is a Trojan for the Windows platform.

Troj/Vixup-BZ includes functionality to download and run further 
executable code.

When first run Troj/Vixup-BZ copies itself to <System>\kernels8.exe 
and may download a file to <System>\dlh9jkdq8.exe.

The following registry entry is created to run kernels8.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
System
<System>\kernels8.exe

The following registry entry is set, disabling the Windows task 
manager (taskmgr):

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1





Name   W32/Stration-AJ

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Drops more malware
    * Downloads code from the internet
    * Installs itself in the Registry

Aliases  
    * WORM_STRAT.GG

Prevalence (1-5) 2

Description
W32/Stration-AJ is a worm for the Windows platform.

W32/Stration-AJ includes functionality to download, install and run 
new software.

Advanced
W32/Stration-AJ is a worm for the Windows platform.

W32/Stration-AJ includes functionality to download, install and run 
new software.

When first run W32/Stration-AJ copies itself to <Windows>\cserv32.exe 
and creates the following files:

<Windows>\cserv32.dat
<System>\e1.dll

The file e1.dll is detected as W32/Strati-Gen.

The following registry entry is created to run cserv32.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
cserv32
<Windows>\cserv32.exe s

The following registry entry is set:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs
e1.dll





Name   Troj/QQRob-ABA

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Installs itself in the Registry

Aliases  
    * Trojan-PSW.Win32.QQRob.is
    * PAK_Generic.001

Prevalence (1-5) 2

Description
Troj/QQRob-ABA is a Trojan for the Windows platform.

Advanced
Troj/QQRob-ABA is a Trojan for the Windows platform.

When first run Troj/QQRob-ABA copies itself to:

<Startup>\<random characters>.exe
<Common Files>\System\<random characters>.dat
<Windows>\Help\adsal.chm

and creates the file <Common Files>\System\<random characters>.dll. 
This file is also detected as Troj/QQRob-ABA.

The file <random characters>.dll is registered as a COM object and 
ShellExecute hook, creating registry entries under:

HKCR\CLSID\(random CLSID)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ 
ShellExecuteHooks\(randome CLSID)

The following registry entries are also created, disabling certain 
anti-virus and security processes:

HKLM\SYSTEM\CurrentControlSet\Services\AVP
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\FireSvc
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\KPfwSvc
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\KVSrvXP
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\KVWSC
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\KWatchSvc
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\McAfeeFramework
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\McShield
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\McTaskManager
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\MskService
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\NPFMntor
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\RfwService
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\RsCCenter
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\RsRavMon
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\SKNFW
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\SNDSrvc
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\SPBBCSvc
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\SkyProcs
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\Symantec Core LC
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\ccEvtMgr
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\ccProxy
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\ccSetMgr
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\kavsvc
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\navapsvc
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
Start
4





Name   W32/Looked-AY

Type  
    * Virus

How it spreads  
    * Network shares
    * Infected files

Affected operating systems  
    * Windows

Side effects  
    * Steals information
    * Downloads code from the internet
    * Installs itself in the Registry

Aliases  
    * W32/HLLP.Philis.bt

Prevalence (1-5) 2

Description
W32/Looked-AY is a virus and worm for the Windows platform.

W32/Looked-AY spreads to other network computers.

W32/Looked-AY includes functionality to access the internet and 
communicate with a remote server via HTTP.

Advanced
W32/Looked-AY is a virus and worm for the Windows platform.

W32/Looked-AY spreads to other network computers.

W32/Looked-AY includes functionality to access the internet and 
communicate with a remote server via HTTP.

When first run W32/Looked-AY copies itself to 
<Windows>\uninstall\rundl132.exe and creates the following files:

<Windows>\RichDll.dll - detected as W32/Looked-AY

The following registry entry is created to run rundl132.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
load
<Windows>\uninstall\rundl132.exe

Registry entries are created under:

HKLM\SOFTWARE\Soft\DownloadWWW\





Name   Troj/Dloadr-AQK

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet

Aliases  
    * Win32/TrojanDownloader.Agent.AXS

Prevalence (1-5) 2

Description
Troj/Dloadr-AQK is a downloading Trojan for the Windows platform.

Advanced
Troj/Dloadr-AQK is a downloading Trojan for the Windows platform.

Troj/Dloadr-AQK includes functionality to connect to the internet and 
communicate with a remote server via HTTP.

Registry entries are created under:

HKCU\Software\unker\<basename>\main\





Name   W32/Dref-Q

Type  
    * Worm

How it spreads  
    * Email attachments

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Sends itself to email addresses found on the infected computer
    * Drops more malware
    * Forges the sender's email address
    * Uses its own emailing engine
    * Installs itself in the Registry

Aliases  
    * Win32/Nuwar.gen

Prevalence (1-5) 2

Description
W32/Dref-Q is a mass-mailing worm for the Windows platform.

Messages sent by the worm have the following characteristics:

Subject: taken from a list including

Urgent News!
Attn
News!
Incredible news!
Read and resend asap!

or a headline retrieved from a news website.

Attached filename: taken from a list including

read me.exe
CNN latest news.exe
CNN news reader.exe
cnn.exe
news reader.exe

Advanced
W32/Dref-Q is a mass-mailing worm for the Windows platform.

Messages sent by the worm have the following characteristics:

Subject: one of

Urgent News!
Attn
News!
Incredible news!
Read and resend asap!
Attn to everybody!
Urg
White house news!

or a headline retrieved from a news website.

Attached filename: one of

read me.exe
CNN latest news.exe
CNN news reader.exe
cnn.exe
news reader.exe
cnn site explorer.exe
www-CNN-COM.exe
news agent.exe
webnews agent.exe
cnn agent.exe

When first run, W32/Dref-Q will open a browser displaying a news 
website.

W32/Dref-Q copies itself to <Windows system folder>\wservice.exe and 
creates the a randomly-named executable in the current folder. This 
randomly named executable is detected as Troj/DownLdr-QK.

The following registry entries are created to run wservice.exe on 
startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
UpdateService
<Windows system folder>\wservice.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
UpdateService
<Windows system folder>\wservice.exe

W32/Dref-Q sets the following registry entries, disabling the 
automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4

Note: disabling autostart for the SharedAccess service deactivates 
the Microsoft Internet Connection Firewall (ICF).





Name   Troj/Adload-KB

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet

Aliases  
    * Trojan-Downloader.Win32.Adload.hw
    * TROJ_ADLOAD.RG

Prevalence (1-5) 2

Description
Troj/Adload-KB ia a Trojan for the Windows platform.

The Trojan includes functionality to access the internet and 
communicate with a remote server via HTTP.





Name   Troj/Clagger-AL

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet

Prevalence (1-5) 2

Description
Troj/Clagger-AL is a downloading Trojan for the Windows platform.

Advanced
Troj/Clagger-AL is a downloading Trojan for the Windows platform.

Troj/Clagger-AL downloads files from a list of preconfigured URLs to 
the Windows folder and executes them.





Name   Troj/Clagger-AM

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet

Aliases  
    * Trojan.Schoeberl.D

Prevalence (1-5) 2

Description
Troj/Clagger-AM is a Trojan for the Windows platform.





Name   W32/Sdbot-CUJ

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Allows others to access the computer
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Aliases  
    * Backdoor.Win32.SdBot.azd
    * W32/Backdoor.PVO

Prevalence (1-5) 2

Description
W32/Sdbot-CUJ is a network worm for the Windows platform.

W32/Sdbot-CUJ runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

W32/Sdbot-CUJ spreads to other network computers by exploiting common 
buffer overflow vulnerabilities.

Advanced
W32/Sdbot-CUJ is a network worm for the Windows platform.

W32/Sdbot-CUJ runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

W32/Sdbot-CUJ spreads to other network computers by exploiting common 
buffer overflow vulnerabilities.

When first run W32/Sdbot-CUJ copies itself to <Windows>\directx.exe.

The file directx.exe is registered as a new system driver service 
named "directx.exe", with a display name of "directx.exe" and a 
startup type of automatic, so that it is started automatically during 
system startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\directx.exe\

The worm disables the Windows System File Checker by changing the 
following registry entry:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SFCDisable
ffffff9d

(the default value for this entry is 0)

W32/Sdbot-CUJ overwrites the following system files:

<Windows>\sfc_os.dll
<Windows>\ftp.exe
<Windows>\tftp.exe





Name   W32/Looked-AZ

Type  
    * Virus

How it spreads  
    * Network shares
    * Infected files

Affected operating systems  
    * Windows

Side effects  
    * Steals information
    * Downloads code from the internet
    * Installs itself in the Registry
    * Leaves non-infected files on computer

Prevalence (1-5) 2

Description
W32/Looked-AZ is a virus.

W32/Looked-AZ infects EXE files found on the infected computer and 
attempts to spread to remote network shares with weak passwords.

The virus includes functionality to access the internet and 
communicate with a remote server via HTTP.

Advanced
W32/Looked-AZ is a virus.

W32/Looked-AZ infects EXE files found on the infected computer and 
attempts to spread to remote network shares with weak passwords.

The virus includes functionality to access the internet and 
communicate with a remote server via HTTP.

When first run W32/Looked-AZ copies itself to 
<Windows>\uninstall\rundl132.exe and <Windows>\logo1_.exe and creates 
files <Windows>\RichDll.dll, which is also detected as W32/Looked-AZ.

Many files with the name "_desktop.ini" are also created, in various 
folders on the infected computer. These files are harmless text files.

The following registry entry is created to run rundl132.exe on startup:

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
load
<Windows>\uninstall\rundl132.exe

Registry entries are created under:

HKLM\SOFTWARE\Soft\DownloadWWW\





Name   Troj/Clagger-AN

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet

Aliases  
    * Downloader-ATM

Prevalence (1-5) 2

Description
Troj/Clagger-AN is a downloading Trojan for the Windows platform.

Troj/Clagger-AN downloads files from preconfigured URLs to the 
Windows folder and executes them.





Name   Troj/Lineag-AEO

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Steals information
    * Drops more malware
    * Records keystrokes
    * Installs itself in the Registry

Aliases  
    * Trojan-PSW.Win32.Hangame.cl
    * Trojan-PSW.Win32.Nilage.ajk

Prevalence (1-5) 2

Description
Troj/Lineag-AEO is a password stealing Trojan for the Windows platform.

Troj/Lineag-AEO includes functionality to access the internet and 
communicate with a remote server via HTTP.

Advanced
Troj/Lineag-AEO is a password stealing Trojan for the Windows platform.

Troj/Lineag-AEO includes functionality to access the internet and 
communicate with a remote server via HTTP.

When Troj/Lineag-AEO is installed the following files are created:

<Temp>\ri.exe
<Temp>\t2.exe
<Program Files>\Internet Explorer\explorer.exe
<System>\ccdll.dll

The files explorer.exe and ri.exe are detected as Troj/Hangame-AF. 
The files t2.exe and ccdll.dll are also detected as Troj/Lineag-AEO.

The following registry entry is created to run explorer.exe on startup:

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
load
<Program Files>\INTERN~1\explorer.exe





Name   Troj/WowPWS-AJ

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Steals information
    * Downloads code from the internet
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
Troj/WowPWS-AJ is a Trojan for the Windows platform.

Troj/WowPWS-AJ includes functionality to access the internet and 
communicate with a remote server via HTTP.

Advanced
Troj/WowPWS-AJ is a Trojan for the Windows platform.

Troj/WowPWS-AJ includes functionality to access the internet and 
communicate with a remote server via HTTP.

Troj/WowPWS-AJ includes functionality to steal passwords for certain 
online games.

When first run Troj/WowPWS-AJ copies itself to 
<Windows>\Download\svhost32.exe and creates the following files:

<Temp>\a.dll
<System>\xydll.dll

The following registry entry is created to run svhost32.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
xy
<Windows>\Download\svhost32.exe





Name   Troj/Nebuler-N

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Drops more malware
    * Installs itself in the Registry

Aliases  
    * Trojan-Dropper.Win32.Agent.azn

Prevalence (1-5) 2

Description
Troj/Nebuler-N is a Trojan for the Windows platform.

Advanced
Troj/Nebuler-N is a Trojan for the Windows platform.

When Troj/Nebuler-N is installed the following files are created:

<Temp>\mst1.bat
<Temp>\mst1.tmp
<Current Folder>\mit.bat
<System>\winool32.dll

The files winool32.dll and mst1.tmp are detected as Troj/Nebule-Gen. 
The files mst1.bat and mit.bat are clean scripts to delete 
Troj/Nebuler-N files.

The following registry entries are created to run code exported by 
winool32.dll on startup:

HKLM\SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\Winlogon\Notify\winool32
DllName
winool32.dll

HKLM\SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\Winlogon\Notify\winool32
Impersonate
0

HKLM\SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\Winlogon\Notify\winool32
Startup
EvtStartup

Registry entries are created under:

HKLM\SOFTWARE\Microsoft\MSSMGR\

Troj/Nebuler-N may create files in the following folders:

<User>\Application Data\Microsoft\Crypto\rsa
<User>\Application Data\Microsoft\Protect

 
--- MultiMail/Win32 v0.43
 * Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)