Text 17, 797 rader
Skriven 2004-12-26 19:37:00 av KURT WISMER (1:123/140)
Ärende: News, Dec. 26 2005
==========================
[cut-n-paste from sophos.com]
Name Troj/Agent-ZC
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
Aliases
* TrojanProxy.Win32.Agent.z
* BackDoor-CEZ
Prevalence (1-5) 2
Description
Troj/Agent-ZC is a Trojan for the Windows platform that can be used for
sending unsolicited commercial email (spam) as a result of instructions
downloaded from a preconfigured website.
Advanced
Troj/Agent-ZC is a Trojan for the Windows platform that can be used for
sending unsolicited commercial email (spam).
When executed Troj/Agent-ZC initiates a background process that attempts
to download instructions from a preconfigured website that will define
spam features including recipient addresses.
Troj/Agent-ZC harvests email addresses stored on the infected machine
and includes them in the list of spam recipients.
Troj/Agent-ZC sends status reports to the same site using HTTP POST.
Troj/Agent-ZC may set the follwoing registry entry:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
crash0001
restorecrashwin32.bat
where restorecrashwin32.bat is a script created by the Trojan.
Name Troj/Bancos-AS
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Steals information
* Uses its own emailing engine
* Records keystrokes
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/Bancos-AS is a password stealing Trojan for the Windows platform.
The Trojan logs keypresses and steals information from Internet Explorer
sessions connected to certain Brazilian banking sites. The collected
information is emailed to a remote user.
Advanced
Troj/Bancos-AS is a password stealing Trojan for the Windows platform.
When first run, Troj/Bancos-AS creates the following registry entry in
order to run each time a user logs on:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
<filename minus extension>
"<full path to Trojan>"
The Trojan logs keypresses and steals information from Internet Explorer
sessions connected to certain Brazilian banking sites. The collected
information is emailed to a remote user.
Name Troj/Multidr-BG
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Drops more malware
Aliases
* IRC-Sdbot.dr.gen
Prevalence (1-5) 2
Description
Troj/Multidr-BG is a malware dropper.
The dropped files are detected as W32/Sdbot-SP and Troj/Ranck-BP.
Advanced
Troj/Multidr-BG is a malware dropper.
Troj/Multidr-BG drops files DGXCSD.EXE and DSGQGP.EXE into the system
folder. These files are then executed.
The dropped files are detected as W32/Sdbot-SP and Troj/Ranck-BP
respectively.
Name W32/Rembot-A
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Used in DOS attacks
Aliases
* Backdoor.Win32.ForBot.q
Prevalence (1-5) 2
Description
W32/Rembot-A connects to a predetermined IRC channel and runs in the
background waiting for backdoor commands. The worm may spread via
network shares as the result of a backdoor command.
Other backdoor functionality includes participating in denial-of-service
attacks and downloading and running further executable code.
Advanced
W32/Rembot-A is an IRC backdoor worm.
W32/Rembot-A connects to a predetermined IRC channel and runs in the
background waiting for backdoor commands. The worm may spread via
network shares as the result of a backdoor command.
Other backdoor functionality includes participating in denial-of-service
attacks and downloading and running further executable code.
W32/Rembot-A copies itself to the system folder as NAVtask.exe and sets
the following registry entries in order to run itself on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
NAVtask
NAVtask.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
NAVtask
NAVtask.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
NAVtask
NAVtask.exe
Name W32/Rbot-SD
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Downloads code from the internet
* Reduces system security
* Records keystrokes
Aliases
* Backdoor.Win32.Rbot.gen
Prevalence (1-5) 2
Description
W32/Rbot-SD is a network worm and IRC backdoor Trojan for the Windows
platform.
W32/Rbot-SD spreads using a variety of techniques including exploiting
weak passwords on computers and SQL servers, exploiting operating system
vulnerabilities and using backdoors opened by other worms or Trojans.
W32/Rbot-SD can be controlled by a remote attacker over IRC channels.
The backdoor component of W32/Rbot-SD can be instructed by a remote user
to perform the following functions:
* start an FTP server
* start a proxy server
* start a web server
* take part in distributed denial-of-service (DDoS) attacks
* log keypresses
* capture screen/webcam images
* packet sniffing
* port scanning
* download/execute arbitrary files
* start a remote shell (RLOGIN)
Advanced
W32/Rbot-SD is a network worm and IRC backdoor Trojan for the Windows
platform.
W32/Rbot-SD spreads using a variety of techniques including exploiting
weak passwords on computers and SQL servers, exploiting operating system
vulnerabilities (including DCOM-RPC, LSASS, WebDAV and UPNP) and using
backdoors opened by other worms or Trojans.
W32/Rbot-SD can be controlled by a remote attacker over IRC channels.
The backdoor component of W32/Rbot-SD can be instructed by a remote user
to perform the following functions:
* start an FTP server
* start a proxy server
* start a web server
* take part in distributed denial-of-service (DDoS) attacks
* log keypresses
* capture screen/webcam images
* packet sniffing
* port scanning
* download/execute arbitrary files
* start a remote shell (RLOGIN)
The worm copies itself to a file named iexpl0re.exe in the Windows
system folder and creates the following registry entries:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
""
"iexpl0re.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
""
"iexpl0re.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
""
"iexpl0re.exe"
Patches for the operating system vulnerabilities exploited by
W32/Rbot-SD can be obtained from Microsoft at:
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
http://www.microsoft.com/technet/security/bulletin/ms03-039.mspx
http://www.microsoft.com/technet/security/bulletin/ms03-007.mspx
http://www.microsoft.com/technet/security/bulletin/ms01-059.mspx
Name W32/Agobot-OR
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Modifies data on the computer
* Steals information
* Downloads code from the internet
Prevalence (1-5) 2
Description
W32/Agobot-OR is a network worm with an IRC backdoor component.
W32/Agobot-OR is capable of spreading to computers on the local network
protected by weak passwords.
The backdoor component runs continuously in the background providing
backdoor access to the computer through IRC channels.
Advanced
W32/Agobot-OR is a network worm with an IRC backdoor component.
When first run, W32/Agobot-OR copies itself to the Windows system folder
as hey.exe and creates the following registry entries to run itself each
time a user logs on:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
sdfgsdfg
"hey.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
sdfgsdfg
"hey.exe"
The backdoor component runs continuously in the background providing
backdoor access to the computer through IRC channels.
W32/Agobot-OR attempts to terminate and disable various anti-virus and
security related programs and modifies the HOSTS file located at
%SYSTEM%\Drivers\etc\HOSTS, mapping selected anti-virus websites to the
loopback address 127.0.0.1 in an attempt to prevent access to these
sites. Typically the following mappings will be appended to the HOSTS
file:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
W32/Agobot-OR will also hide all files which contain the string 'soun'.
Name W32/Mkar-E
Type
* Virus
How it spreads
* Infected files
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
Aliases
* Win32.Mkar.e
* W32/Mkar.gen
Prevalence (1-5) 2
Description
W32/Mkar-E is a virus that infects EXE files.
Infected EXE files can be disinfected.
Advanced
W32/Mkar-E is a prepending virus that infects EXE files.
W32/Mkar-E copies itself to the folder "drivers" under the Windows
system folder and drops a components into the folder "001" under the
"drivers" folder.
On NT-based versions of Windows W32/Mkar-E installs itself as a service
process called NetLogSrv with a display name comprised of non-ASCII
characters.
Infected EXE files can be disinfected.
Name Perl/Santy-A
Type
* Worm
Affected operating systems
* Windows
* Unix
Side effects
* Modifies data on the computer
* Exploits system or software vulnerabilities
Aliases
* Net-Worm.Perl.Santy.a
Prevalence (1-5) 2
Description
Perl/Santy-A is a worm that exploits a vulnerability in the phpBB
bulletin board software.
The worm spreads to vulnerable bulletin boards on both Windows and Unix
based platforms.
Infected sites may display the message:
This site is defaced!!!
NeverEverNoSanity WebWorm generation
Defaced website
The Santy worm has defaced thousands of web bulletin boards.
Advanced
Perl/Santy-A is a worm that exploits a vulnerability in the phpBB
bulletin board software.
The worm spreads to vulnerable bulletin boards on both Windows and Unix
based platforms.
Once the worm has spread to 3 or more servers it will attempt to
overwrite all HTM*, PHP*, ASP*, SHTM*, JSP* and PHTM* files with a web
page containing the following message:
This site is defaced!!!
NeverEverNoSanity WebWorm generation #
where '#' is the number of infection cycles the worm has been through to
infect the compromised server.
Defaced website
The Santy worm has defaced thousands of web bulletin boards.
Name Troj/Bancban-AN
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Steals information
* Records keystrokes
* Installs itself in the Registry
Aliases
* Trojan-Spy.Win32.Banbra.ad
* PWS-Bancban.gen.b
Prevalence (1-5) 2
Description
Troj/Bancban-AN is a data stealing Trojan which attempts to capture
confidential information related to internet banking, such as usernames
and logon passwords.
Troj/Bancban-AN will then attempt to email the stolen information to a
pre-defined email address.
Advanced
Troj/Bancban-AN is a data stealing Trojan which attempts to capture
confidential information related to internet banking, such as usernames
and logon passwords.
Troj/Bancban-AN will copy itself to a folder named Systens that it
creates under the Windows system folder as smss.exe
Troj/Bancban-AN creates the following registry entry to run itself on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
KernellApps32
smss.exe
Troj/Bancban-AN will then attempt to email the stolen information to a
pre-defined email address.
Name W32/Rbot-SB
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Reduces system security
* Records keystrokes
* Installs itself in the Registry
Aliases
* W32/Sdbot.worm.gen.j
Prevalence (1-5) 2
Description
W32/Rbot-SB is a network worm and IRC backdoor Trojan for the Windows
platform.
W32/Rbot-SB spreads using a variety of techniques including exploiting
weak passwords on computers and SQL servers, exploiting operating system
vulnerabilities (including DCOM-RPC, LSASS, WebDAV and UPNP) and using
backdoors opened by other worms or Trojans.
W32/Rbot-SB can be controlled by a remote attacker over IRC channels.
The backdoor component of W32/Rbot-SB can be instructed by a remote user
to perform the following functions:
start an FTP server
start a Proxy server
start a web server
take part in distributed denial of service (DDoS) attacks
log keypresses
capture screen/webcam images
packet sniffing
port scanning
download/execute arbitrary files
start a remote shell (RLOGIN)
Advanced
W32/Rbot-SB is a network worm and IRC backdoor Trojan for the Windows
platform.
W32/Rbot-SB spreads using a variety of techniques including exploiting
weak passwords on computers and SQL servers, exploiting operating system
vulnerabilities (including DCOM-RPC, LSASS, WebDAV and UPNP) and using
backdoors opened by other worms or Trojans.
W32/Rbot-SB can be controlled by a remote attacker over IRC channels.
The backdoor component of W32/Rbot-SB can be instructed by a remote user
to perform the following functions:
start an FTP server
start a Proxy server
start a web server
take part in distributed denial of service (DDoS) attacks
log keypresses
capture screen/webcam images
packet sniffing
port scanning
download/execute arbitrary files
start a remote shell (RLOGIN)
The worm copies itself to a file named taksmgr.exe in the Windows system
folder and creates the following registry entries:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Start Upping
"taksmgr.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Start Upping
"taksmgr.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Start Upping
"taksmgr.exe"
Patches for the operating system vulnerabilities exploited by
W32/Rbot-SB can be obtained from Microsoft at:
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
http://www.microsoft.com/technet/security/bulletin/ms03-039.mspx
http://www.microsoft.com/technet/security/bulletin/ms03-007.mspx
http://www.microsoft.com/technet/security/bulletin/ms01-059.mspx
Name W32/Rbot-RY
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Reduces system security
* Records keystrokes
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Prevalence (1-5) 2
Description
W32/Rbot-RY is a Windows network worm that spreads to weakly protected
network shares and computers vulnerable to the RPC-DCOM exploit (see
Microsoft Security Bulletin MS04-012).
W32/Rbot-RY has an IRC backdoor which connects to a preconfigured IRC
server and joins a channel allowing a remote user access to the infected
computer.
The worm can steal product keys, can be used in denial-of-service and
distributed-denial-of-service attacks, upload and download files, and
run specified programs.
Advanced
W32/Rbot-RY is a Windows network worm with an IRC backdoor.
The worm can spread to ADMIN$ and C$ network shares with weak usernames
and passwords. The worm will also attempt to spread to computers
vulnerable to the DCOM exploit (see Microsoft Security Bulletin
MS04-012).
In order to run automatically when Windows starts up the worm copies
itself to the Windows system folder as msngf.exe and creates the
following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sygate Personal Firewall Start
servic.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Sygate Personal Firewall Start
servic.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sygate Personal Firewall Start
servic.exe
Once installed, W32/Rbot-RY connects to a preconfigured IRC server and
joins a channel from which an attacker can issue further commands.
These commands can cause the infected machine to perform any of the
following actions:
Initiate distributed denial-of-service (DDOS) attacks
Flood a remote host (by either ping or HTTP)
Start a SOCKS4 proxy server
Port scan for vulnerabilities on other remote computers
Execute arbitrary commands
Steal product keys
Upload and download files
Send emails as specified by the remote user
Shut down and reboot the computer
Delete network shares
Log any keystrokes made on the infected computer
Stop a runnning service
Flush the DNS and ARP caches
Capture images of the desktop and from a webcam (if connected)
The worm may also commanded to attempt to disable DCOM by setting the
following registry entry:
HKLM\Software\Microsoft\OLE
EnableDCOM
N
Name W32/Sdbot-SI
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Installs itself in the Registry
* Used in DOS attacks
Aliases
* Backdoor.Win32.SdBot.gen
* W32/Sdbot.worm.gen
Prevalence (1-5) 2
Description
W32/Sdbot-SI is a network worm and backdoor for the Windows platform.
The worm spreads to shared folders with weak passwords.
When first run W32/Sdbot-SI copies itself to the Windows system folder
as ffasd.exe.
The backdoor component allows a remote attacker to:
* transfer files to and from the infected computer
* steal CD keys for certain game software
* use the infected computer as a proxy server
* launch distributed denial-of-service attacks
* send email
W32/Sdbot-SI spreads through network shares protected by weak passwords.
The worm uses the filename vvczsd.exe when spreading through network
shares.
Advanced
W32/Sdbot-SI is a network worm and backdoor for the Windows platform.
The worm spreads to shared folders with weak passwords.
The backdoor component connects to a predefined IRC server and waits for
commands from a remote attacker.
When first run W32/Sdbot-SI copies itself to the Windows system folder
as ffasd.exe and creates the following registry entries in order to run
each time a user logs on:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
SAvasddwq
ffasd.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
SAvasddwq
ffasd.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
SAvasddwq
ffasd.exe
The backdoor component allows a remote attacker to:
* transfer files to and from the infected computer
* steal CD keys for certain game software
* use the infected computer as a proxy server
* launch distributed denial-of-service attacks
* send email
W32/Sdbot-SI spreads through network shares protected by weak passwords.
The worm uses the filename vvczsd.exe when spreading through network
shares.
--- MultiMail/Win32 v0.43
* Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)
|