Text 162, 1190 rader
Skriven 2007-01-14 00:08:00 av KURT WISMER
Ärende: News, January 14 2007
=============================
[cut-n-paste from sophos.com]
Name W32/Looked-BJ
Type
* Virus
How it spreads
* Network shares
* Infected files
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Steals information
* Downloads code from the internet
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Looked-BJ is a virus and network worm for the Windows platform.
W32/Looked-BJ spreads to other network computers.
W32/Looked-BJ includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
W32/Looked-BJ is a virus and network worm for the Windows platform.
W32/Looked-BJ spreads to other network computers.
W32/Looked-BJ includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run W32/Looked-BJ copies itself to
<Windows>\uninstall\rundl132.exe and creates the file
<Windows>\RichDll.dll.
The following registry entry is created to run rundl132.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
load
<Windows>\uninstall\rundl132.exe
Registry entries are created under:
HKLM\SOFTWARE\Soft\DownloadWWW
Name Troj/Haxdoor-DL
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Drops more malware
* Reduces system security
* Installs itself in the Registry
Aliases
* Backdoor.Win32.Haxdoor.jw
Prevalence (1-5) 2
Description
Troj/Haxdoor-DL is a Trojan for the Windows platform.
Advanced
Troj/Haxdoor-DL is a Trojan for the Windows platform.
When Troj/Haxdoor-DL is installed the following files are created:
<System>\eetvpn.dll
<System>\eetvpn.sys
<System>\eexvpn.sys
<System>\kgctini.dat
<System>\lps.dat
<System>\qo.dll
<System>\qo.sys
The files eetvpn.dll, eetvpn.sys, eexvpn.sys, qo.dll and qo.sys are
detected as Troj/Haxdor-Fam.
The following registry entries are created to run code exported by
eetvpn.dll on startup:
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\eetvpn
DllName
eetvpn.dll
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\eetvpn
Startup
ER03Sb5fex
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\eetvpn
Impersonate
1
The file eexvpn.sys is registered as a new system driver service
named "eexvpn", with a display name of "MCRT accelerator". Registry
entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\eexvpn
Name Troj/IRCBot-TK
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
Aliases
* Backdoor.Win32.VB.apv
* W32/Generic.d
Prevalence (1-5) 2
Description
Troj/IRCBot-TK is a Trojan for the Windows platform.
Troj/IRCBot-TK runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
Advanced
Troj/IRCBot-TK is a Trojan for the Windows platform.
Troj/IRCBot-TK runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
When Troj/IRCBot-TK is installed the following files are created:
\scif\explorer.exe
\scif\svchost.exe
\scif\msinet.ocx
\scif\mswinsck.ocx
The files explorer.exe and svchost.exe are also detected as
Troj/IRCBot-TK. The .ocx files are legitimate Microsoft files.
The following registry entry is created to run Troj/IRCBot-TK on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
explorer
\scif\explorer.exe
The files msinet.ocx and mswinsck.ocx are registered as COM objects,
creating registry entries under:
HKCR\CLSID\(248DD896-BB45-11CF-9ABC-0080C7E7B78D)
HKCR\CLSID\(248DD897-BB45-11CF-9ABC-0080C7E7B78D)
HKCR\CLSID\(48E59293-9880-11CF-9754-00AA00C00908)
HKCR\CLSID\(48E59294-9880-11CF-9754-00AA00C00908)
HKCR\CLSID\(48E59295-9880-11CF-9754-00AA00C00908)
HKCR\Interface\(248DD892-BB45-11CF-9ABC-0080C7E7B78D)
HKCR\Interface\(248DD893-BB45-11CF-9ABC-0080C7E7B78D)
HKCR\TypeLib\(248DD890-BB45-11CF-9ABC-0080C7E7B78D)
Registry entries are set as follows:
HKCR\MSWinsock.Winsock.1\CLSID
(default)
(248DD896-BB45-11CF-9ABC-0080C7E7B78D)
HKCR\MSWinsock.Winsock\CLSID
(default)
(248DD896-BB45-11CF-9ABC-0080C7E7B78D)
Registry entries are created under:
HKCR\MSWinsock.Winsock
Name W32/QQRob-ABX
Type
* Spyware Worm
How it spreads
* Removable storage devices
Affected operating systems
* Windows
Side effects
* Steals information
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
* Leaves non-infected files on computer
Aliases
* Trojan-Downloader.Win32.Small.ecw
* Generic Downloader.ak
* Win32/TrojanDownloader.Small.ECW
* WORM_QQROB.ARQ
Prevalence (1-5) 2
Description
W32/QQRob-ABX is a worm for the Windows platform.
W32/QQRob-ABX includes functionality to access the internet and
communicate with a remote server via HTTP, and attempts to download
and execute a number of files to <Temp>\<random digits>.exe.
W32/QQRob-ABX may attempt to steal information from the infected
computer.
Advanced
W32/QQRob-ABX is a worm for the Windows platform.
W32/QQRob-ABX includes functionality to access the internet and
communicate with a remote server via HTTP, and attempts to download
and execute a number of files to <Temp>\<random digits>.exe.
W32/QQRob-ABX may attempt to steal information from the infected
computer.
W32/QQRob-ABX spreads to other computers via removable storage
devices with the filename sss.exe
When first run W32/QQRob-ABX copies itself to <System>\scvhsot.exe.
W32/QQRob-ABX also creates files called <Temp>\<random digits>.txt.
These are copied as autorun.inf when the worm spreads to removable
storage devices, and contain instructions to execute the worm copy on
startup.
The following registry entry is created to run scvhsot.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
QQKAV
<System>\scvhsot.exe
Name W32/Pardona-G
Type
* Worm
How it spreads
* Infected files
Affected operating systems
* Windows
Side effects
* Modifies data on the computer
* Drops more malware
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Virus.Win32.Delf.ao
Prevalence (1-5) 2
Description
W32/Pardona-G is a virus for the Windows platform.
Advanced
W32/Pardona-G is a virus for the Windows platform.
The virus attempts to infect EXE files, and to modify HTM and ASP
files so that they silently download from a remote website.
W32/Pardona-G includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run W32/Pardona-G copies itself to:
<Temp>\<8 random alphabets>
Registry entries are created under:
HKLM\SOFTWARE\Classes\.key
Name Troj/Clagger-AQ
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
* Leaves non-infected files on computer
Prevalence (1-5) 2
Description
Troj/Clagger-AQ is a downloader Trojan for the Windows platform.
Troj/Clagger-AQ attempts to download and execute a number of files
from remote websites.
Troj/Clagger-AQ has been seen emailed as an attachment called
1&1Rechnung.pdf.exe.
Upon execution Troj/Clagger-AQ displays the following fake "Acrobat
Reader" error message:
"Acrobat Reader ERROR 31847".
Advanced
Troj/Clagger-AQ is a downloader Trojan for the Windows platform.
Troj/Clagger-AQ attempts to download and execute a number of files
from remote websites.
Troj/Clagger-AQ has been seen emailed as an attachment called
1&1Rechnung.pdf.exe.
Upon execution Troj/Clagger-AQ displays the following fake "Acrobat
Reader" error message:
"Acrobat Reader ERROR 31847".
When installed Troj/Clagger-AQ copies itself to <System>\<random>.exe.
The following registry entries are created to run <random>.exe on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
WinUpdate
<System>\INETSRVt.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
WinUpdate
<System>\<random>.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WinUpdate
<System>\<random>.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
WinUpdate
<System>\<random>.exe
Registry entries are set as follows:
HKCU\Software\Microsoft\OLE
WinUpdate
<System>\<random>.exe
HKLM\SOFTWARE\Microsoft\Ole
WinUpdate
<System>\<random>.exe
Troj/Clagger-AQ also may create the file <System>\drivers\winut.dat.
This file may be safely removed.
Name W32/SillyFDC-I
Type
* Worm
How it spreads
* Removable storage devices
Affected operating systems
* Windows
Side effects
* Reduces system security
* Installs itself in the Registry
Aliases
* Trojan.Win32.VB.aol
* W32/Generic.e
* Win32/VB.AOL
* W32.SillyFDC
Prevalence (1-5) 2
Description
W32/SillyFDC-I is a worm for the Windows platform.
W32/SillyFDC-I may copy itself to drives A: and B:.
Advanced
W32/SillyFDC-I is a worm for the Windows platform.
When first run W32/SillyFDC-I copies itself to:
<User>\Documents\Top Pictures.exe
<User>\My Documents\New Folder.exe
<Windows>\Windows Explorer.exe
W32/SillyFDC-I may also copy itself to drives A: and B:.
The following registry entry is created to run W32/SillyFDC-I on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Explorer
<Windows>\Windows Explorer.exe
The following registry entry is set:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1
Name Troj/Kbroy-G
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Records keystrokes
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/Kbroy-G is a backdoor Trojan for the Windows platform.
Troj/Kbroy-G includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
Troj/Kbroy-G is a backdoor Trojan for the Windows platform.
Troj/Kbroy-G includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run Troj/Kbroy-G moves itself to \RpQS.exe and creates the
following files:
\delmeexe.bat
\RpQS.dll.
The file delmeexe.bat is a simple batch file which attempts to delete
the original copy of the Trojan and then itself. It is in itself
neither malicious nor a threat.
The file RpQs.dll is also detected as Troj/Kbroy-G.
The file RpQs.exe is registered as a new system driver service named
"RpQS", with a display name of "Remote Procedure Qall System(RPQS)"
and a startup type of automatic, so that it is started automatically
during system startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\RpQS\
Name W32/Kraze-B
Type
* Virus
How it spreads
* Infected files
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Kraze-B is a Virus for the Windows platform.
W32/Kraze-B includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
W32/Kraze-B is a Virus for the Windows platform.
W32/Kraze-B includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run W32/Kraze-B copies itself to:
<Startup>\WinZip Quick Pick.exe
\WINZIP_TMP.exe
<Windows>\Rundll16.exe
<Windows>\WINZIP_TMP.exe
<System>\scanregw.exe
and creates the following files:
<User>\Local Settings\Temp<original Trojan filename>
<Windows>\Tasks\At1.job - may be deleted
<Windows>\Tasks\At2.job - may be deleted
The file Temp<original Trojan filename> is detected as W32/Nyxem-D.
The following registry entry is created to run scanregw.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ScanRegistry
scanregw.exe /scan
Name W32/Fujacks-D
Type
* Virus
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Deletes files off the computer
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
Aliases
* Worm.Win32.Delf.bd
* W32/Fujacks.worm
* WORM_NIMAYA.AG
Prevalence (1-5) 2
Description
W32/Fujacks-D is a prepending virus and worm with backdoor
functionality for the Windows platform.
W32/Fujacks-D spreads to other network computers through available
network shares and removeable storage devices.
W32/Fujacks-D runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer.
W32/Fujacks-D includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
W32/Fujacks-D is a prepending virus and worm with backdoor
functionality for the Windows platform.
W32/Fujacks-D spreads to other network computers through available
network shares and removeable storage devices with the filenames
GameSetup.exe and setup.exe correspondingly. W32/Fujacks-D also
creates the file autorun.inf to insure that the file setup.exe is
executed.
W32/Fujacks-D runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer.
W32/Fujacks-D includes functionality to access the internet and
communicate with a remote server via HTTP.
W32/Fujacks-D may change HTML files.
When first run W32/Fujacks-D copies itself to
<System>\drivers\spoclsv.exe.
The following registry entry is created to run spoclsv.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
svcshare
<System>\drivers\spoclsv.exe
The following registry entry is set:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\Folder\Hidden\SHOWALL
CheckedValue
0
W32/Fujacks-D searches for EXE files in attempt to infect them and
creates Desktop_.ini file every time when succeed. This file may be
safely deleted.
W32/Fujacks-D includes functionality to delete shares including the
Admin$ share.
Name W32/Rbot-GAP
Type
* Spyware Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Scans network for vulnerabilities
* Scans network for weak passwords
Prevalence (1-5) 2
Description
W32/Rbot-GAP is a worm and IRC backdoor Trojan for the Windows
platform.
Advanced
W32/Rbot-GAP is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Rbot-GAP spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including: LSASS (MS04-011),
RPC-DCOM (MS04-012), ASN.1 (MS04-007) and RealVNC (CVE-2006-2369).
The worm may also spread via networks shares protected by weak
passwords.
W32/Rbot-GAP runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
When first run W32/Rbot-GAP copies itself to <System>\msttl.exe.
The following registry entries are created to run msttl.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft TTL Verifier
msttl.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
Microsoft TTL Verifier
msttl.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft TTL Verifier
msttl.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Microsoft TTL Verifier
msttl.exe
Registry entries are set as follows:
HKCU\Software\Microsoft\OLE
Microsoft TTL Verifier
msttl.exe
HKLM\SOFTWARE\Microsoft\Ole
Microsoft TTL Verifier
msttl.exe
Name W32/Fujacks-G
Type
* Virus
How it spreads
* Removable storage devices
* Network shares
* Infected files
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
Aliases
* W32/Fujacks.l
* Win32/Fujacks
* PE_FUJACKS.BE
* Trojan-Dropper.Win32.Delf.or
Prevalence (1-5) 2
Description
W32/Fujacks-G is a prepending virus for the Windows platform.
The virus infects files on local hard drives, network shares and
removable media.
W32/Fujacks-G runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer.
Advanced
W32/Fujacks-G is a prepending virus for the Windows platform.
The virus infects files on local hard drives, network shares and
removable media.
W32/Fujacks-G runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer.
When W32/Fujacks-G is installed the following files are created:
<System>\drivers\spcolsv.exe
The following registry entry is created to run spcolsv.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
svcshare
<System>\drivers\spcolsv.exe
The following registry entry is set:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Folder\Hidden\SHOWALL
CheckedValue
0
Name W32/Looked-BK
Type
* Virus
How it spreads
* Network shares
* Infected files
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Steals information
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* PE_LOOKED.JS
Prevalence (1-5) 2
Description
W32/Looked-BK is a virus and network worm for the Windows platform.
W32/Looked-BK infects files found on the local computer.
W32/Looked-BK also copies itself to remote network shares and may
infect files found on those shares.
Advanced
W32/Looked-BK is a virus and network worm for the Windows platform.
W32/Looked-BK infects files found on the local computer.
W32/Looked-BK also copies itself to remote network shares and may
infect files found on those shares.
W32/Looked-BK may also create many files with the name "_desktop.ini"
in various folders on the infected computer. These files are harmless
text files and can be deleted.
When W32/Looked-BK is installed the following files are created:
<Windows>\Logo1_.exe
<Windows>\RichDll.dll
<Windows>\uninstall\rundl132.exe
These files are also detected as W32/Looked-BK.
The following registry entry is created to run rundl132.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
load
<Windows>\uninstall\rundl132.exe
Registry entries are created under:
HKLM\SOFTWARE\Soft\DownloadWWW\
Name Troj/Counto-H
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
Prevalence (1-5) 2
Description
Troj/Counto-H is a Trojan for the Windows platform.
Troj/Counto-H collects details about the infected computer and sends
them to a preconfigured host via HTTP form submission.
Information collected by the Trojan includes the versions of various
installed applications, the type of network connection and the
specifications of attached hardware.
Name W32/Codbot-EW
Type
* Spyware Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Scans network for vulnerabilities
* Scans network for weak passwords
Aliases
* Backdoor.Win32.Codbot.by
Prevalence (1-5) 2
Description
W32/Codbot-EW is a worm with IRC backdoor functionality for the
Windows platform.
Advanced
W32/Codbot-EW is a worm with IRC backdoor functionality for the
Windows platform.
W32/Codbot-EW spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including: LSASS (MS04-011), SRVSVC
(MS06-040), RPC-DCOM (MS04-012), IMAIL Server and ASN.1 (MS04-007).
W32/Codbot-EW runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
When first run W32/Codbot-EW copies itself to <System>\scvhost.exe.
The file scvhost.exe is registered as a new system driver service
named "WINDRIVER", with a display name of "Microsoft Print Spooler"
and a startup type of automatic, so that it is started automatically
during system startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\WINDRIVER
Name Troj/Sniffer-N
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
* Installs itself in the Registry
* Leaves non-infected files on computer
Aliases
* Trojan-Spy.Win32.Agent.pr
* NetSniff
* TSPY_AGENT.GRU
Prevalence (1-5) 2
Description
Troj/Sniffer-N is a Trojan for the Windows platform.
Troj/Sniffer-N monitors network traffic for email addresses.
Harvested addresses are submitted to a preconfigured server using HTTP.
Advanced
Troj/Sniffer-N is a Trojan for the Windows platform.
Troj/Sniffer-N monitors network traffic for email addresses.
Harvested addresses are submitted to a preconfigured server using HTTP.
When Troj/Sniffer-N is installed the following files are created:
<Current Folder>\wpcem.exe
<System>\Packet.dll
<System>\WanPacket.dll
<System>\drivers\npf.sys
<System>\pthreadVC.dll
<System>\wpcap.dll
wpcem.exe is also detected as Troj/Sniffer-N. The remaining files are
clean.
The following registry entry is created to run the Trojan
automatically:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft WPCEmail
<path to Trojan>
Name Troj/Krepper-BF
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Trojan-Downloader.Win32.CWS.j
* Downloader-AQV
* Trojan.KillAV
Prevalence (1-5) 2
Description
Troj/Krepper-BF is a downloading Trojan for the Windows platform.
Troj/Krepper-BF includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
Troj/Krepper-BF is a downloading Trojan for the Windows platform.
Troj/Krepper-BF includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run Troj/Krepper-BF copies itself
to<Windows>\inet20126\services.exe.
The following registry entries are created to run Troj/Krepper-BF on
startup:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
run
<Windows>\inet20126\services.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
xp_system
<Windows>\inet20126\services.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
xp_system
<Windows>\inet20126\services.exe
Name W32/Tilebot-II
Type
* Spyware Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Leaves non-infected files on computer
Aliases
* W32/Sdbot.worm.gen.ax
* WORM_SDBOT.BQT
Prevalence (1-5) 2
Description
W32/Tilebot-II is a worm for the Windows platform.
W32/Tilebot-II may spread by exploiting the RealVNC vulnerability
(CVE-2006-2369) or by copying itself to remote network shares with
weak passwords.
W32/Tilebot-II runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
Advanced
W32/Tilebot-II is a worm for the Windows platform.
W32/Tilebot-II may spread by exploiting the RealVNC vulnerability
(CVE-2006-2369) or by copying itself to remote network shares with
weak passwords.
W32/Tilebot-II runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
When first run W32/Tilebot-II copies itself to <Windows>\msnmsgr.exe.
The worm may also change the following files:
<System>\ftp.exe
<System>\sfc.dll
<System>\tftp.exe
The modified file sfc.dll is the potentially unwanted application
"Disabled System File Check DLL". The files ftp.exe and tftp.exe are
replaced by dummy files that contain no executable code.
The file msnmsgr.exe is registered as a new system driver service
named "Windows Messenger", with a display name of "Windows Messenger"
and a startup type of automatic, so that it is started automatically
during system startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\Windows Messenger
Registry entries are set as follows, as part of an attempt to disable
the System File Checker:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SFCScan
0
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SFCDisable
ffffff9d
Name Troj/Busky-E
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/Busky-E is a Trojan for the Windows platform.
Advanced
Troj/Busky-E is a Trojan for the Windows platform.
The Trojan is registered as a COM object and Browser Helper Object
(BHO) for Microsoft Internet Explorer, creating registry entries under:
HKCR\CLSID\(41F328E2-5E46-F5B8-0160-020188931F32)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Browser Helper Objects\(41F328E2-5E46-F5B8-0160-020188931F32
Name Troj/Flood-HH
Type
* Trojan
Affected operating systems
* Windows
Prevalence (1-5) 2
Description
Troj/Flood-HH is a backdoor Trojan component.
Name Troj/PWS-ADX
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/PWS-ADX is a Trojan for the Windows platform.
When first run Troj/PWS-ADX copies itself to <Temp>\2760339435520.
Advanced
Troj/PWS-ADX is a Trojan for the Windows platform.
When first run Troj/PWS-ADX copies itself to <Temp>\2760339435520.
The following registry entry is created to run Troj/PWS-ADX on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
systwyns
--- MultiMail/Win32 v0.43
* Origin: Doc's Place BBS Fido Since 1991 www.docsplace.tzo.com (1:123/140)
|