Text 161, 1204 rader
Skriven 2007-01-07 17:55:00 av KURT WISMER
Ärende: News, January 6 2007
============================
[cut-n-paste from sophos.com]
Name Troj/Zlob-XI
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Prevalence (1-5) 2
Description
Troj/Zlob-XI is a downloader Trojan.
Troj/Zlob-XI can arrive as a result of web browsing. Certain web
pages may exploit vulnerabilities associated with Microsoft Internet
Explorer to silently download and install/run the Trojan without user
interaction.
Advanced
Troj/Zlob-XI is a downloader Trojan.
Troj/Zlob-XI can arrive as a result of web browsing. Certain web
pages may exploit vulnerabilities associated with Microsoft Internet
Explorer to silently download and install/run the Trojan without user
interaction.
When Troj/Zlob-XI is installed the following file is downloaded from
the internet:
<Temp>\av1.exe
Name W32/MSNVB-B
Type
* Spyware Worm
How it spreads
* Chat programs
Affected operating systems
* Windows
Side effects
* Steals information
* Leaves non-infected files on computer
Aliases
* Win32/Spy.VB.LO
Prevalence (1-5) 2
Description
W32/MSNVB-B is an MSN Messenger worm for the Windows platform.
Advanced
W32/MSNVB-B is an MSN Messenger worm for the Windows platform.
When first run W32/MSNVB-B copies itself to <System>\<random
characters>\winlogon.exe and creates the file <Temp>\del2.bat.
W32/MSNVB-B may attempt to send web links via Instant Messenger
messages, with one of the following bodies:
Is this yours?
go here <url> kool site
Name W32/Flukan-C
Type
* Virus
How it spreads
* Infected files
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Stops the computer from booting
* Modifies data on the computer
* Deletes files off the computer
* Steals information
* Installs itself in the Registry
Prevalence (1-5) 2
Description
\W32/Flukan-C is a backdoor virus for the Windows platform.
W32/Flukan-C infects files with ".zip" extensions on the local
system, by overwriting the contents of the ZIP files with a copy of
itself as an EXE, with the same name as the .zip file. W32/Flukan-C
may also infect executables.
The virus also has the following functionality:
- terminates security and administration related processes (and
explorer.exe)
- connects to remote IRC servers to receive and execute commands on
the local system
- steal information
- overwrite the hosts file
- disable safe mode
- delete anti-virus related files and services
Advanced
W32/Flukan-C is a backdoor virus for the Windows platform.
W32/Flukan-C infects files with ".zip" extensions on the local
system, by overwriting the contents of the ZIP files with a copy of
itself as an EXE, with the same name as the .zip file. W32/Flukan-C
may also infect executables.
The virus also has the following functionality:
- terminates security and administration related processes (and
explorer.exe)
- connects to remote IRC servers to receive and execute commands on
the local system
- steal information
- overwrite the hosts file
- disable safe mode
- delete anti-virus related files and services
When first run W32/Flukan-C may copy itself to:
<target folder>\<random 5 characters>.exe
and creates the following files:
<target folder>\devil.ocx
<target folder>\grogot.exe
<target folder>\pluto.ocx
Where "<target folder>" may be <Windows> or <User>\Templates.
Registry entries are created under:
HKLM\SOFTWARE\Grogotix.A
The virus may also set the following registry entries:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Grogotix
<Windows>\<random 5 characters>.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
DisableCmd
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFind
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoRecentDocsMenu
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoRun
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoSetFolders
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoTrayContextMenu
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoViewContextMenu
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
2
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Explorer.exe <Windows>\<random 5 characters>.exe
Name Troj/Everda-B
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
* Leaves non-infected files on computer
* Modifies browser settings
Prevalence (1-5) 2
Description
Troj/Everda-B is a Trojan for the Windows platform.
Troj/Everda-B includes functionality to modify the HOSTS file, change
the browser startpage, reduce browser security setting, set registry
entries, inject code into other processes, download and execute files
from remote websites, and provide stealthing.
Advanced
Troj/Everda-B is a Trojan for the Windows platform.
Troj/Everda-B includes functionality to modify the HOSTS file, change
the browser startpage, reduce browser security setting, set registry
entries, inject code into other processes, download and execute files
from remote websites, and provide stealthing.
When installed Troj/Everda-B is registered as a new system driver
service named "random name", with a display name of "random name" and
a startup type of automatic, so that it is started automatically
during system startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\<random name>\
Name Troj/Nofere-B
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/Nofere-B is a Trojan for the Windows platform.
Troj/Nofere-B includes functionality to access the internet and
communicate with a remote server via HTTP.
Troj/Nofere-B may also download and execute files from remote
locations.
Advanced
Troj/Nofere-B is a Trojan for the Windows platform.
Troj/Nofere-B includes functionality to access the internet and
communicate with a remote server via HTTP.
Troj/Nofere-B may also download and execute files from remote
locations.
When first run Troj/Nofere-B copies itself to <Windows>\svch0st.exe.
The following registry entry is created to run svch0st.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ravtask
<Windows>\svch0st.exe
Troj/Nofere-B may set registry entries under the following location:
HKCR\ferefile
Name W32/Bagle-RC
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Sends itself to email addresses found on the infected computer
* Forges the sender's email address
* Uses its own emailing engine
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Email-Worm.Win32.Bagle.gt
Prevalence (1-5) 2
Description
W32/Bagle-RC is a mass-mailing worm for the Windows platform.
Advanced
W32/Bagle-RC is a mass-mailing worm for the Windows platform.
When run the worm will copy itself to the <Application Data>\hidn\
folder as hidn2.exe and hldrrr.exe and creates the following registry
entries:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
drv_st_key
<Application Data>\hidn\hidn2.exe
HKLM\SOFTWARE\FirstRun
FirstRun
1
W32/Bagle-RC will also remove registry entries associated with
SafeBoot.
Name W32/Piggi-A
Type
* Spyware Worm
How it spreads
* Email attachments
* Network shares
* Peer-to-peer
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Modifies data on the computer
* Steals information
* Uses its own emailing engine
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Leaves non-infected files on computer
Prevalence (1-5) 2
Description
W32/Piggi-A is a mass-mailing worm for the Windows platform.
W32/Piggi-A spreads via email and may pretend:
- to offer a free gift
- that your myspace, anti-virus, tax, financial or personal details
have been hacked or expired
- that an email sent, was failed to deliver
- to be showing you a picture, movie, game, sound or website
- to offer a gambling, casino or poker technique or strategy
Attached files may contain any of the following extensions:
- .wav
- .wma
- .mp3
- .rtf
- .html
- .txt
- .gif
- .jpeg
- .com
- .exe
W32/Piggi-A may exploit RPCDCOM and LanManager exploits.
W32/Piggi-A harvests email addresses from the Windows Address Book,
and by searching the computer.
Advanced
W32/Piggi-A is a mass-mailing worm for the Windows platform.
W32/Piggi-A spreads via email and may pretend:
- to offer a free gift
- that your myspace, anti-virus, tax, financial or personal details
have been hacked or expired
- that an email sent, was failed to deliver
- to be showing you a picture, movie, game, sound or website
- to offer a gambling, casino or poker technique or strategy
Attached files may contain any of the following extensions:
- .wav
- .wma
- .mp3
- .rtf
- .html
- .txt
- .gif
- .jpeg
- .com
- .exe
W32/Piggi-A may exploit RPCDCOM and LanManager exploits.
W32/Piggi-A harvests email addresses from the Windows Address Book,
and by searching the computer.
When first run W32/Piggi-A may make hundreds of copies of itself to
any folder with the following name:
- BearShare
- Uploads
- Downloads
- Shared
- Upload
- Share
- Collections
- My Shared Folder
and to the following filenames as ADS (Alternate Data Stream) streams:
<Windows>\lsass.exe
<Program Files>\Internet Explorer\iexplore.exe
<System>\dllcache\svchost.exe
<WindowS>\svchost.exe
and creates the following files:
<System>\drivers\<random 5 characters>.sys - detected as
Troj/NTRootK-BB
<System>\msfsr.sys - detected as Troj/NTRootK-BB
\zyxwvuts.log
The following registry entry is created to run W32/Piggi-A on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
<original name of the worm>
<pathname of the worm executable>
The following registry entry is changed to run lsass.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
explorer.exe <Windows>\lsass.exe
The file <random 5 characters>.sys is registered as a new system
driver service named "<random 5 characters>", with a display name of
"<random 5 characters>" and a startup type of automatic, so that it
is started automatically during system startup. Registry entries are
created under:
HKLM\SYSTEM\CurrentControlSet\Services\<random 5 characters>
The file msfsr.sys is registered as a new system driver service named
"msfsr",
with a display name of "msfsr". Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\msfsr
The following registry entry is set, affecting internet security:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\
Parameters\FirewallPolicy
StandardProfile\AuthorizedApplications\List
<pathname of the worm executable>
<Current Folder>\<original filename>:*:enabled:@xpsp2res.dll,-22019
W32/Piggi-A sets the following registry entries, disabling the
automatic startup
of other software:
HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Start
3
W32/Piggi-A may overwrite the wuauserv services and any Norton
LiveUpdate services.
Name W32/Brontok-CG
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Sends itself to email addresses found on the infected computer
* Reduces system security
* Installs itself in the Registry
Aliases
* W32.Ascribes
Prevalence (1-5) 2
Description
W32/Brontok-CG is a mass-mailing worm for the Windows platform.
Advanced
W32/Brontok-CG is a mass-mailing worm for the Windows platform.
W32/Brontok-CG may also arrive in a self-extracting archive file
called 3GPlayer-Setup.exe
When installed run W32/Brontok-CG copies itself to:
\BRoNToK.exe
\Data .exe
\Brontok\New Folder.exe
<Startup>\Empty.pif
<User>\Local Settings\Application Data\windows\csrss.exe
<User>\Local Settings\Application Data\windows\lsass.exe
<User>\Local Settings\Application Data\windows\services.exe
<User>\Local Settings\Application Data\windows\smss.exe
<User>\Local Settings\Application Data\windows\winlogon.exe
<Windows>\BRoNToK.exe
<System>\IExplorer.exe
<System>\shell.exe
and creates the files:
\BRoNToK.txt
Brontok\Folder.htt
The following registry entries are created to run W32/Brontok-CG on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
BRoNToK
<Windows>\BRoNToK.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Servicesara
<User>\Local Settings\Application Data\WINDOWS\SERVICES.EXE
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Logonsara
<User>\Local Settings\Application Data\WINDOWS\CSRSS.EXE
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
System Monitoring
<User>\Local Settings\Application Data\WINDOWS\LSASS.EXE
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MSMSGS
<User>\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
The following registry entries are changed to run W32/Brontok-CG on
startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe "<System>\IExplorer.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System>\userinit.exe,<System>\IExplorer.exe
The following registry entries are set or modified, so that shell.exe
is run when files with extensions of BAT, COM, EXE and PIF are
opened/launched:
HKCR\lnkfile\shell\open\command
(default)
<System>\shell.exe" "%1" %*
HKCR\batfile\shell\open\command
(default)
<System>\shell.exe" "%1" %*
HKCR\comfile\shell\open\command
(default)
<System>\shell.exe" "%1" %*
HKCR\exefile\shell\open\command
(default)
<System>\shell.exe" "%1" %*
HKCR\piffile\shell\open\command
(default)
<System>\shell.exe" "%1" %*
The following registry entries are set, disabling system software:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableCMD
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
DisableTaskMgr
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
DisableRegistryTools
1
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
DisableConfig
1
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
DisableSR
1
Registry entries are set as follows:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoFolderOptions
1
HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
LimitSystemRestoreCheckpointing
1
HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
DisableMSI
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug
Debugger
<System>\Shell.exe
Name W32/Sdbot-CWL
Type
* Worm
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Win32.SdBot.xd
* Win32/Iroffer
Prevalence (1-5) 2
Description
W32/Sdbot-CWL is a worm and backdoor Trojan for the Windows platform.
Name W32/Pardona-E
Type
* Virus
How it spreads
* Infected files
Affected operating systems
* Windows
Side effects
* Modifies data on the computer
* Downloads code from the internet
Prevalence (1-5) 2
Description
W32/Pardona-E is a virus.
W32/Pardona-E includes functionality to access the internet and
communicate with a remote server via HTTP.
W32/Pardona-E infects exe and html files. Infected .exe files are
detected as W32/Pardona-E, infected .html files are detected as
W32/Pardif-A.
Advanced
W32/Pardona-E is a virus.
W32/Pardona-E includes functionality to access the internet and
communicate with a remote server via HTTP.
W32/Pardona-E infects exe and html files. Infected .exe files are
detected as W32/Pardona-E, infected .html files are detected as
W32/Pardif-A.
When first run W32/Pardona-E copies itself to:
<Temp>\MediaSups.exe
<Windows>\cmd.com
<Windows>\net.com
<Windows>\regedit.com
Registry entries are created under:
HKCR\.key
Name Troj/Lager-U
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Drops more malware
* Uses its own emailing engine
Prevalence (1-5) 2
Description
Troj/Lager-U is a proxy Trojan for the Windows platform.
Advanced
Troj/Lager-U is a proxy Trojan for the Windows platform.
When first run Troj/Lager-U copies itself to <System>\taskdir.exe and
creates the file <System>\adir.dll.
The file adir.dll is detected as Troj/HideDl-B.
Troj/Lager-U may act as a proxy relay for spam.
Name Troj/Sforce-B
Type
* Trojan
Affected operating systems
* Unix
Side effects
* Scans network for weak passwords
Aliases
* HackTool.Linux.BF.b
* Linux/Portscan
* Hacktool.Rootkit
* ELF_PORTSCAN.D
Prevalence (1-5) 2
Description
Troj/Sforce-B is a tool for gaining access to sshd servers with weak
passwords.
Name W32/Looked-BI
Type
* Virus
How it spreads
* Network shares
* Infected files
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
* Leaves non-infected files on computer
Aliases
* Worm.Win32.Viking.du
* W32/HLLP.Philis.dn
* Win32/Viking.CH
* PE_LOOKED.QR
Prevalence (1-5) 2
Description
W32/Looked-BI is a virus and network worm for the Windows platform.
W32/Looked-BI infects files found on the local computer.
W32/Looked-BI also copies itself to remote network shares and may
infect files found on those shares.
W32/Looked-BI includes functionality to access the internet and
communicate with a remote server via HTTP. W32/Looked-BI may attempt
to download and execute additional files from a remote location.
Advanced
W32/Looked-BI is a virus and network worm for the Windows platform.
W32/Looked-BI infects files found on the local computer.
W32/Looked-BI also copies itself to remote network shares and may
infect files found on those shares.
W32/Looked-BI includes functionality to access the internet and
communicate with a remote server via HTTP. W32/Looked-BI may attempt
to download and execute additional files from a remote location.
When first run W32/Looked-BI copies itself to
<Windows>\uninstall\rundl132.exe and creates the file
<Windows>\RichDll.dll. The file RichDll.dll is also detected as
W32/Looked-BI.
W32/Looked-BI may also create many files with the name "_desktop.ini"
in various folders on the infected computer. These files are harmless
text files and can be deleted.
The following registry entry is created to run rundl132.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
load
<Windows>\uninstall\rundl132.exe
Registry entries are created under:
HKLM\SOFTWARE\Soft\DownloadWWW\
Name Troj/Zybot-D
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Stops the computer from booting
* Deletes files off the computer
Prevalence (1-5) 2
Description
Troj/Zybot-D is a backdoor Trojan for the Windows platform.
Troj/Zybot-D allows a remote intruder access to and control over an
infected computer.
Advanced
Troj/Zybot-D is a backdoor Trojan for the Windows platform.
Troj/Zybot-D allows a remote intruder access to and control over an
infected computer.
Troj/Zybot-D may install new versions of the following files:
<System>\msvbvm60.dll
<System>\msxml2.dll
<System>\msxml2r.dll
<System>\msxml3.dll
<System>\msxml3r.dll
<System>\msxml.dll
<System>\msxmlr.dll
<System>\scrrun.dll
<System>\stdole2.tlb
<System>\vbar332.dll
Name Troj/Zlob-XS
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Trojan-Downloader.Win32.Zlob.bbr
Prevalence (1-5) 2
Description
Troj/Zlob-XS is a downloader Trojan for the windows platform.
Advanced
Troj/Zlob-XS is a downloader Trojan for the windows platform.
Registry entries are created under:
HKCU\Software\Internet Security
The folder <Program Files>\Video ActiveX Object\ may also be created.
Name W32/Rbot-GAA
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Win32.Rbot.btz
* W32/Sdbot.worm.gen.g
Prevalence (1-5) 2
Description
W32/Rbot-GAA is a worm and backdoor Trojan for the Windows platform.
W32/Rbot-GAA runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
Advanced
W32/Rbot-GAA is a worm and backdoor Trojan for the Windows platform.
W32/Rbot-GAA runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
When first run W32/Rbot-GAA copies itself to <System>\lsass.ppf.
The following registry entries are created to run lsass.ppf on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft
lsass.ppf
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft
lsass.ppf
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Microsoft
lsass.ppf
Name W32/Rbot-GAC
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Rbot-GAC is a worm and IRC backdoor for the Windows platform.
W32/Rbot-GAC runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
Advanced
When first run W32/Rbot-GAC copies itself to <System>\msauth.exe.
The following registry entries are created to run msauth.exe on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Corp TLS Certificates
msauth.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Corp TLS Certificates
msauth.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Corp TLS Certificates
msauth.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Corp TLS Certificates
msauth.exe
Registry entries are set as follows:
HKCU\Software\Microsoft\OLE
Microsoft Corp TLS Certificates
msauth.exe
HKLM\SOFTWARE\Microsoft\Ole
Microsoft Corp TLS Certificates
msauth.exe
Name W32/Pardona-F
Type
* Virus
How it spreads
* Infected files
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
Prevalence (1-5) 2
Description
W32/Pardona-F is a virus for the Windows platform.
W32/Pardona-F includes functionality to access the internet and
communicate with a remote server via HTTP
Advanced
W32/Pardona-F is a virus for the Windows platform.
W32/Pardona-F includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run W32/Pardona-F copies itself to:
<Temp>\MediaSups.exe
<Windows>\cmd.com
<Windows>\net.com
<Windows>\regedit.com
Registry entries are created under:
HKCR\.key
Name W32/Sdbot-CWO
Type
* Worm
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Win32.IRCBot.wt
* W32/Sdbot.worm.gen.g
* Win32/Rbot
* W32.Spybot.Worm
Prevalence (1-5) 2
Description
W32/Sdbot-CWO is a network worm with IRC backdoor functionality.
W32/Sdbot-CWO spreads by exploiting common network vulnerabilities.
W32/Sdbot-CWO allows a remote attacker to gain access and control
over the infected computer using IRC channels.
Advanced
W32/Sdbot-CWO is a network worm with IRC backdoor functionality.
W32/Sdbot-CWO spreads by exploiting common network vulnerabilities.
W32/Sdbot-CWO allows a remote attacker to gain access and control
over the infected computer using IRC channels.
When first run, W32/Sdbot-CWO copies itself to <System>\adv32.exe and
creates the following registry entries in order to be run
automatically:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Office Monitor
<System>\adv32.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Office Monitor
<System>\adv32.exe
W32/Sdbot-CWO sets the following registry entries in order to secure
the infected computer against further exploits:
HKLM\SOFTWARE\Microsoft\Ole\
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
restrictanonymous
1
--- MultiMail/Win32 v0.43
* Origin: Doc's Place BBS Fido Since 1991 www.docsplace.tzo.com (1:123/140)
|