Tillbaka till svenska Fidonet
English   Information   Debug  
COMICS   0/15
CONSPRCY   0/899
COOKING   33421
COOKING_OLD1   0/24719
COOKING_OLD2   0/40862
COOKING_OLD3   0/37489
COOKING_OLD4   0/35496
COOKING_OLD5   9370
C_ECHO   0/189
C_PLUSPLUS   0/31
DIRTY_DOZEN   0/201
DOORGAMES   0/2065
DOS_INTERNET   0/196
duplikat   6002
ECHOLIST   0/18295
EC_SUPPORT   0/318
ELECTRONICS   0/359
ELEKTRONIK.GER   1534
ENET.LINGUISTIC   0/13
ENET.POLITICS   0/4
ENET.SOFT   0/11701
ENET.SYSOP   33945
ENET.TALKS   0/32
ENGLISH_TUTOR   0/2000
EVOLUTION   0/1335
FDECHO   0/217
FDN_ANNOUNCE   0/7068
FIDONEWS   24159
FIDONEWS_OLD1   0/49742
FIDONEWS_OLD2   0/35949
FIDONEWS_OLD3   0/30874
FIDONEWS_OLD4   0/37224
FIDO_SYSOP   12852
FIDO_UTIL   0/180
FILEFIND   0/209
FILEGATE   0/212
FILM   0/18
FNEWS_PUBLISH   4436
FN_SYSOP   41705
FN_SYSOP_OLD1   71952
FTP_FIDO   0/2
FTSC_PUBLIC   0/13611
FUNNY   0/4886
GENEALOGY.EUR   0/71
GET_INFO   105
GOLDED   0/408
HAM   0/16074
HOLYSMOKE   0/6791
HOT_SITES   0/1
HTMLEDIT   0/71
HUB203   466
HUB_100   264
HUB_400   39
HUMOR   0/29
IC   0/2851
INTERNET   0/424
INTERUSER   0/3
IP_CONNECT   719
JAMNNTPD   0/233
JAMTLAND   0/47
KATTY_KORNER   0/41
LAN   0/16
LINUX-USER   0/19
LINUXHELP   0/1155
LINUX   0/22112
LINUX_BBS   0/957
mail   18.68
mail_fore_ok   249
MENSA   0/341
MODERATOR   0/102
MONTE   0/992
MOSCOW_OKLAHOMA   0/1245
MUFFIN   0/783
MUSIC   0/321
N203_STAT   930
N203_SYSCHAT   313
NET203   321
NET204   69
NET_DEV   0/10
NORD.ADMIN   0/101
NORD.CHAT   0/2572
NORD.FIDONET   189
NORD.HARDWARE   0/28
NORD.KULTUR   0/114
NORD.PROG   0/32
NORD.SOFTWARE   0/88
NORD.TEKNIK   0/58
NORD   0/453
OCCULT_CHAT   0/93
OS2BBS   0/787
OS2DOSBBS   0/580
OS2HW   0/42
OS2INET   0/37
OS2LAN   0/134
OS2PROG   0/36
OS2REXX   0/113
OS2USER-L   207
OS2   0/4786
OSDEBATE   0/18996
PASCAL   0/490
PERL   0/457
PHP   0/45
POINTS   0/405
POLITICS   0/29554
POL_INC   0/14731
PSION   103
R20_ADMIN   1123
R20_AMATORRADIO   0/2
R20_BEST_OF_FIDONET   13
R20_CHAT   0/893
R20_DEPP   0/3
R20_DEV   399
R20_ECHO2   1379
R20_ECHOPRES   0/35
R20_ESTAT   0/719
R20_FIDONETPROG...
...RAM.MYPOINT
  0/2
R20_FIDONETPROGRAM   0/22
R20_FIDONET   0/248
R20_FILEFIND   0/24
R20_FILEFOUND   0/22
R20_HIFI   0/3
R20_INFO2   3249
R20_INTERNET   0/12940
R20_INTRESSE   0/60
R20_INTR_KOM   0/99
R20_KANDIDAT.CHAT   42
R20_KANDIDAT   28
R20_KOM_DEV   112
R20_KONTROLL   0/13299
R20_KORSET   0/18
R20_LOKALTRAFIK   0/24
R20_MODERATOR   0/1852
R20_NC   76
R20_NET200   245
R20_NETWORK.OTH...
...ERNETS
  0/13
R20_OPERATIVSYS...
...TEM.LINUX
  0/44
R20_PROGRAMVAROR   0/1
R20_REC2NEC   534
R20_SFOSM   0/341
R20_SF   0/108
R20_SPRAK.ENGLISH   0/1
R20_SQUISH   107
R20_TEST   2
R20_WORST_OF_FIDONET   12
RAR   0/9
RA_MULTI   106
RA_UTIL   0/162
REGCON.EUR   0/2056
REGCON   0/13
SCIENCE   0/1206
SF   0/239
SHAREWARE_SUPPORT   0/5146
SHAREWRE   0/14
SIMPSONS   0/169
STATS_OLD1   0/2539.065
STATS_OLD2   0/2530
STATS_OLD3   0/2395.095
STATS_OLD4   0/1692.25
SURVIVOR   0/495
SYSOPS_CORNER   0/3
SYSOP   0/84
TAGLINES   0/112
TEAMOS2   0/4530
TECH   0/2617
TEST.444   0/105
TRAPDOOR   0/19
TREK   0/755
TUB   0/290
UFO   0/40
UNIX   0/1316
USA_EURLINK   0/102
USR_MODEMS   0/1
VATICAN   0/2740
VIETNAM_VETS   0/14
VIRUS   0/378
VIRUS_INFO   0/201
VISUAL_BASIC   0/473
WHITEHOUSE   0/5187
WIN2000   0/101
WIN32   0/30
WIN95   0/4289
WIN95_OLD1   0/70272
WINDOWS   0/1517
WWB_SYSOP   0/419
WWB_TECH   0/810
ZCC-PUBLIC   0/1
ZEC   4

 
4DOS   0/134
ABORTION   0/7
ALASKA_CHAT   0/506
ALLFIX_FILE   0/1313
ALLFIX_FILE_OLD1   0/7997
ALT_DOS   0/152
AMATEUR_RADIO   0/1039
AMIGASALE   0/14
AMIGA   0/331
AMIGA_INT   0/1
AMIGA_PROG   0/20
AMIGA_SYSOP   0/26
ANIME   0/15
ARGUS   0/924
ASCII_ART   0/340
ASIAN_LINK   0/651
ASTRONOMY   0/417
AUDIO   0/92
AUTOMOBILE_RACING   0/105
BABYLON5   0/17862
BAG   135
BATPOWER   0/361
BBBS.ENGLISH   0/382
BBSLAW   0/109
BBS_ADS   0/5290
BBS_INTERNET   0/507
BIBLE   0/3563
BINKD   0/1119
BINKLEY   0/215
BLUEWAVE   0/2173
CABLE_MODEMS   0/25
CBM   0/46
CDRECORD   0/66
CDROM   0/20
CLASSIC_COMPUTER   0/378
Möte DIRTY_DOZEN, 201 texter
 lista första sista föregående nästa
Text 186, 1058 rader
Skriven 2007-05-06 12:01:00 av KURT WISMER
Ärende: News, May 6 2007
========================
[cut-n-paste from sophos.com]

Name   W32/Lovelet-AD

Type  
    * Worm

How it spreads  
    * Removable storage devices
    * Email attachments
    * Infected files
    * Chat programs

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Modifies data on the computer
    * Forges the sender's email address
    * Uses its own emailing engine
    * Downloads code from the internet
    * Reduces system security
    * Installs itself in the Registry

Aliases  
    * Win32/VB.BP

Prevalence (1-5) 2

Description
W32/Lovelet-AD is a worm for the Windows platform.

W32/Lovelet-AD spreads by:
- Copying itself to autorun.inf into any writable drive
- Email attachments
- Infected files
- Replacing PIF files with a copy of W32/Lovelet-AD
- Yahoo Instant Messenger

W32/Lovelet-AD includes functionality to access the internet and 
communicate with a remote server via HTTP.

Advanced
W32/Lovelet-AD is a worm for the Windows platform.

W32/Lovelet-AD spreads by:
- Copying itself to autorun.inf into any writable drive
- Email attachments
- Infected files
- Replacing PIF files with a copy of W32/Lovelet-AD
- Yahoo Instant Messenger

W32/Lovelet-AD includes functionality to access the internet and 
communicate with a remote server via HTTP.

When first run W32/Lovelet-AD copies itself to:

<Desktop>\Microsoft Word Document.scr
<Root>\autorun.inf
<Start Menu>\New Microsoft Word Document.scr
<Start Menu>\Programs\Microsoft Word Document.scr

as well as numerous locations (more than 1000 files) and sub folders 
in:

<Application Data>\Microsoft\CD Burning\
<My Documents>\
<Profile>\
<Root>\
<Start Menu>\
<System>\
<Windows>\
<Windows>\Prefetch\
<Windows>\gorgle\

The following registry entries are created to run W32/Lovelet-AD on 
startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
Run
<System>\mskernel.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion
Run
<Windows>\lsass.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion
Run
WinRun
<Windows>\AutoRun.ini

as well as the following modification of existing entries:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
explorer.exe <Windows>\services.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System>\userinit.exe,<Windows>\gorgle\csrss.exe

The following registry entries are created to make removal of 
W32/Lovelet-AD difficult for the user:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HideFileExt
CheckedValue
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1

The following registry entries are set or modified, so that 
W32/Lovelet-AD is run when files with extensions of PIF are 
opened/launched:

HKCR\AVIFile\shell\open\command
(default)
<Windows>\setup\mskernel.exe %1

HKCR\piffile\shell\open\command
(default)
<Windows>\setup\mskernel.exe %1





Name   Troj/Starter-F

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Installs itself in the Registry
    * Leaves non-infected files on computer

Prevalence (1-5) 2

Description
Troj/Starter-F is a Trojan for the Windows platform.

Advanced
Troj/Starter-F is a Trojan for the Windows platform.

When run, it copies itself to <System>\FLASH32.COM and creates the 
file <System>\BLOCKS.EXE. The file BLOCKS.exe is not malicious.

The following registry entry is created to run FLASH32.COM on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Flash32
<System>\FLASH32.COM -s

The following registry entry is set:

HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Run
Flash32
<System>\FLASH32.COM -s





Name   Troj/Agent-EOL

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet

Aliases  
    * Trojan-Downloader.Win32.Agent.bls
    * TROJ_AGENT.NEV

Prevalence (1-5) 2

Description
Troj/Agent-EOL is a downloading Trojan for the Windows platform.





Name   W32/Alman-B

Type  
    * Virus

How it spreads  
    * Infected files

Affected operating systems  
    * Windows

Prevalence (1-5) 2

Description
W32/Alman-B is a virus for the Windows platform.

Advanced
W32/Alman-B is a virus for the Windows platform.

W32/Alman-B searches for and infects files with EXE extension.

When first run W32/Alman-B creates the following files :

<Windows>\c_121.nls
<Windows>\AppPatch\deamon.dll

These files are also detected as W32/Alman-B.





Name   W32/Rbot-GMZ

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Reduces system security
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Prevalence (1-5) 2

Description
W32/Rbot-GMZ is a worm for the Windows platform which attempts to 
spread via network shares.

W32/Rbot-GMZ spreads to computers vulnerable to common exploits, 
including: IIS5SSL (MS03-007).

Advanced
W32/Rbot-GMZ is a worm for the Windows platform which attempts to 
spread via network shares.

W32/Rbot-GMZ contains backdoor functions that allows unauthorized 
remote acces to the infected computer via IRC channels.

W32/Rbot-GMZ spreads to computers vulnerable to common exploits, 
including: IIS5SSL (MS03-007).

The following patch for the operating system vulnerability exploited 
by the worm can be obtained from the Microsoft website:

MS04-011

When first run W32/Rbot-GMZ copies itself as a randomly named exe to:
<System>\<random>.exe

W32/Rbot-GMZ may create the following registry entries:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows LoL Layer
azypbrx.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Windows LoL Layer
azypbrx.exe

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Firewall
Policy
\StandardProfile\AuthorizedApplications\List\
<System>\azypbrx.exe:*:Disabled:azypbrx

HKCU\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam\MUICache\
<System>\azypbrx.exe
azypbrx





Name   W32/KillFil-BP

Type  
    * Worm

How it spreads  
    * Network shares
    * Peer-to-peer

Affected operating systems  
    * Windows

Prevalence (1-5) 2

Description
W32/KillFil-BP is a worm for the Windows platform.

Advanced
W32/KillFil-BP is a worm for the Windows platform.





Name   VBS/Solow-D

Type  
    * Worm

How it spreads  
    * Removable storage devices

Affected operating systems  
    * Windows

Side effects  
    * Installs itself in the Registry
    * Leaves non-infected files on computer

Aliases  
    * Worm.VBS.Solow.a
    * VBS/IE-Title
    * VBS/Butsur.B
    * VBS_SOLOW.A

Prevalence (1-5) 2

Description
VBS/Solow-D is a worm for the Windows platform.

Advanced
VBS/Solow-D is a worm for the Windows platform.

VBS/Solow-D attempts to spread through removable storage devices.

When installed VBS/Solow-D copies itself to the 
<Windows>\MS32DLL.dll.vbs.

The following registry entry is created to run the file 
MS32DLL.dll.vbs at startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MS32DLL
<Windows>\MS32DLL.dll.VBS

The following registry entry is set:

HKCU\Software\Microsoft\Internet Explorer\Main
Windows Title
'Hacked by <email address>'

Every 200 seconds VBS/Solow-D enumerates available removable devices 
and attempts to copy itself to each with the filename 
MS32DLL.dll.vbs. The worm also creates the file autorun.inf that 
contains instructions to autorun the copy of the worm once the 
infected drive is accessed.





Name   Troj/Dloadr-AXU

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet

Prevalence (1-5) 2

Description
Troj/Dloadr-AXU is a Trojan downloader for the Windows platform.

Advanced
Troj/Dloadr-AXU is a Trojan downloader for the Windows platform.

Troj/Dloadr-AXU will attempt to download and execute a file detected 
as Troj/TinyDl-G.

When first run Troj/Dloadr-AXU copies itself to 
<System>\1916435341.exe.

The following registry entry is created to run 1916435341.exe on 
startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
1916435341.exe
<System>\1916435341.exe





Name   W32/Stando-B

Type  
    * Worm

How it spreads  
    * Removable storage devices
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Drops more malware
    * Installs itself in the Registry

Aliases  
    * TROJ_AGENT.MRW

Prevalence (1-5) 2

Description
W32/Stando-B is a worm for the Windows platform.

W32/Stando-B spreads to other network computers.

W32/Stando-B includes functionality to access the internet and 
communicate with a remote server via HTTP.

Advanced
W32/Stando-B is a worm for the Windows platform.

W32/Stando-B spreads to other network computers.

W32/Stando-B includes functionality to access the internet and 
communicate with a remote server via HTTP.

When first run W32/Stando-B copies itself to

<Temp>\suchost.exe
<Temp>\mgrShell.exe

and creates the file <System>\activeds.exe.

The file activeds.exe is detected as Troj/Bckdr-QIA.

Registry entries are set as follows to run the worm copy on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
scApp
<Root>\DOCUME~1\REPCLI~1\LOCALS~1\Temp\suchost.exe

W32/Stando-B copies itself to the root folder of available disk 
drives with the filename sys.exe and creates the hidden file 
autorun.inf containing the following text:

[autorun]
open=sys.exe

W32/Stando-B may attempt to write to the end of files with a DOC 
extension, and may modify files in the root drive or internet cache 
folder called ~Thumbs.db or in the internet cache folder called 
~RSW114.tmp.

W32/Stando-B may set the following registry entry to allow Autoplay 
on removable, fixed, CD-ROM and RAM drives:

HKCU\Software\Microsoft\CurrentVersion\Policies\Explorer
NoDriveTypeAutoRun
91

W32/Stando-B may set the following registry entries to prevent hidden 
files from being shown, including files related to itself:

HKCU\Software\Microsoft\CurrentVersion\Explorer\Advanced
SuperHidden
1

HKCU\Software\Microsoft\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0





Name   Troj/BHO-BQ

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Installs a browser helper object

Prevalence (1-5) 2

Description
Troj/BHO-BQ is a Trojan for the Windows platform.

Advanced
Troj/BHO-BQ is a Trojan for the Windows platform.

Troj/BHO-BQ will attempt to install itself as a browser helper object 
and redirect typed URLs and search queries to another website.





Name   W32/SillyFD-AA

Type  
    * Worm

How it spreads  
    * Removable storage devices

Affected operating systems  
    * Windows

Side effects  
    * Installs itself in the Registry
    * Leaves non-infected files on computer

Aliases  
    * Worm.Win32.VB.fw
    * W32/Sillyworm.WR
    * W32/Archiles.worm
    * WORM_VB.CNG

Prevalence (1-5) 2

Description
W32/SillyFD-AA is a worm for the Windows platform.

Advanced
W32/SillyFD-AA is a worm for the Windows platform.

Once installed W32/SillyFD-AA spreads through removable storage 
devices, including floppy drives and USB keys. The worm attempts to 
create a hidden file Autorun.inf on the removeable drive and copy 
itself to the removeable drive with the hidden filename 
<Root>\handydriver.exe.

The file <Root>\Autorun.inf is designed to start the worm once the 
removable drive is connected to a uninfected computer.

W32/SillyFD-AA copies itself to the following locations:
<Root>\kerneldrive.exe
<Windows>\regedit.exe
<Windows>\pchealth\helpctr\Binaries\msconfig.exe
<System>\systeminit.exe
<System>\wininit.exe
<System>\winsystem.exe
<System>\cmd.exe
<System>\taskmgr.exe


W32/SillyFD-AA also creates the following file <Root>\autorun.inf.

The following registry entries are set to run W32/SillyFD-AA to run 
itself on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System>\userinit.exe,<System>\systeminit.exe,

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
wininit
<System>\wininit.exe


The following registry entries are also set:

HKCU\Software\Microsoft\Internet Explorer\Main
Window Title
Hacked by 1BYTE

HKCU\Software\Microsoft
ServicePack
1.2

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer
SearchHidden
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer
SearchSystemDirs
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegedit
1


HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1


HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1

HKCU\Software\Microsoft
nFlag
1


HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
SuperHidden
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoDriveTypeAutoRun
0

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
1





Name   Troj/Dloadr-AYA

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet
    * Opens links to websites

Aliases  
    * W32/Downloader.APBK
    * Trojan-Downloader.Win32.Delf.kc
    * TROJ_DLOADER.GXJ

Prevalence (1-5) 2

Description
Troj/Dloadr-AYA is a Trojan for the Windows platform.

Advanced
Troj/Dloadr-AYA is a Trojan for the Windows platform.

Troj/Dloadr-AYA includes functionality to access the internet and 
communicate with a remote server via HTTP.

When first run Troj/Dloadr-AYA copies itself to the root folder.





Name   Troj/WLDrop-A

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Drops more malware
    * Installs itself in the Registry

Aliases  
    * W32/Agent.CIP
    * Spy-Agent.bv.dr
    * Win32/Wigon.W
    * Trojan.Win32.Agent.ady

Prevalence (1-5) 2

Description
Troj/WLDrop-A is a Trojan for the Windows platform.

Advanced
Troj/WLDrop-A is a Trojan for the Windows platform.

When Troj/WLDrop-A is installed it creates one of the following files:

<System>\main.sys
<Current folder>\systems.dll

The file main.sys is detected as Troj/NTRootK-BP. The file 
systems.dll is detected as Mal/SpyAgent-A.

If the file main.sys is dropped, it is registered as a new system 
driver service named "EXAMPLE". Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\EXAMPLE

If the file systems.dll is dropped, the following registry entry is 
created to run it on system startup:

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
rundll32 "<Current folder>\systems.dll" X4,explorer.exe





Name   W32/Rising-B

Type  
    * Worm

How it spreads  
    * Removable storage devices
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet
    * Installs itself in the Registry

Aliases  
    * Worm.Win32.Agent.az
    * WORM_AGENT.OQV
    * Win32/Agent.NEO

Prevalence (1-5) 2

Description
W32/Rising-B is a worm for the Windows platform.

W32/Rising-B can spread to local drives, removable media and network 
shares.

W32/Rising-B includes functionality to access the internet and 
communicate with a remote server via HTTP.

Advanced
W32/Rising-B is a worm for the Windows platform.

W32/Rising-B can spread to local drives, removable media and network 
shares.

W32/Rising-B includes functionality to access the internet and 
communicate with a remote server via HTTP.

When first run W32/Rising-B copies itself to:

<Root>\rising.exe
<System>\<8 random letters>.exe

and drops the following files:

<Root>\autorun.inf - auto run script, may be deleted safely.
<System>\<8 random letters>.dll - also detected as W32/Rising-B

W32/Rising-B creates the following registry entries to start itself 
as a service:

HKLM\SYSTEM\CurrentControlSet\Services\ERSvc\

HKLM\SYSTEM\CurrentControlSet\Services\<8 random characters>\

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_<8 random characters>\

HKCU\SYSTEM\CurrentControlSet\Services\<8 random characters>\

The <8 random characters> references above are all the same. The 
characters randomize when the worm is propagated.





Name   W32/Rbot-GOS

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Downloads code from the internet
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities
    * Used in DOS attacks

Aliases  
    * WORM_RBOT.FAY

Prevalence (1-5) 2

Description
W32/Rbot-GOS is a worm with IRC backdoor functionality for the 
Windows platform.

Advanced
W32/Rbot-GOS is a worm with IRC backdoor functionality for the 
Windows platform.

W32/Rbot-GOS runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

W32/Rbot-GOS spreads to other network computers:
- by exploiting common buffer overflow vulnerabilities, including: 
LSASS (MS04-011), SRVSVC (MS06-040), RPC-DCOM (MS04-012), PNP 
(MS05-039), ASN.1 (MS04-007), RealVNC (CVE-2006-2369) and Symantec 
(SYM06-010)

- networks protected by weak passwords

When first run W32/Rbot-GOS copies itself to <System>\netsrv.exe. The 
following registry entries are created to run W32/Rbot-GOS on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft
netsrv.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Microsoft
netsrv.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft
netsrv.exe

W32/Rbot-GOS includes functionality to:
- terminate security and anti-virus related processes
- download code from the internet
- perform port scanning
- perform DDoS attacks
- steal information including computer game keys
- setup a SOCKS4 proxy server





Name   Troj/SpyAgent-E

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Drops more malware
    * Dropped by malware

Aliases  
    * Trojan-Dropper.Win32.Agent.bge
    * W32/Downloader2.BNE

Prevalence (1-5) 2

Description
Troj/SpyAgent-E is a dropper Trojan for the Windows platform.

Troj/SpyAgent-E drops further malware detected as Troj/Pushu-B.

Troj/SpyAgent-E may be dropped by members of the Mal/SpyAgent-A family.





Name   W32/Poebot-LL

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Prevalence (1-5) 2

Description
W32/Poebot-LL is a worm for the Windows platform.

W32/Poebot-LL spreads to other network computers by exploiting common 
buffer overflow vulnerabilities, including: LSASS (MS04-011), SRVSVC 
(MS06-040), RPC-DCOM (MS04-012) and PNP (MS05-039).

Advanced
W32/Poebot-LL is a worm for the Windows platform.

W32/Poebot-LL spreads to other network computers by exploiting common 
buffer overflow vulnerabilities, including: LSASS (MS04-011), SRVSVC 
(MS06-040), RPC-DCOM (MS04-012) and PNP (MS05-039).

When first run W32/Poebot-LL copies itself to <System>\spoolsvc.exe 
and creates the file <Current Folder>\pzyhjvv.bat.
 
The following registry entry is created to run spoolsvc.exe on startup:
 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Spooler SubSystem App
<System>\spoolsvc.exe





Name   Troj/Banker-EFM

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Steals credit card details
    * Steals information
    * Records keystrokes
    * Installs itself in the Registry

Aliases  
    * Trojan-Spy.Win32.Banker.ciy

Prevalence (1-5) 2

Description
Troj/Banker-EFM is an internet banking Trojan for the Windows platform.

Advanced
Troj/Banker-EFM is an internet banking Trojan for the Windows platform.

When Troj/Banker-EFM is installed the following files are created:

<Root>\file.exe
<Root>\start.bat
<Startup>\wsnctfy.exe
<Windows>\svchost.exe
<Windows>\Tasks\startt.job

The following registry entry is changed to run Troj/Banker-EFM on 
startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
explorer.exe <Windows>\svchost.exe

The file explorer <Windows>\svchost.exe is registered as a new 
service named "GbpSv". Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\GbpSv





Name   Troj/DownLd-ABF

Type  
    * Trojan

How it spreads  
    * Web browsing

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
Troj/DownLd-ABF is an advertising related downloader Trojan for the 
Windows platform.

Troj/DownLd-ABF infects HTML files stored on the local computer with 
IFRAME links to advertising related HTML pages.

Troj/DownLd-ABF can arrive as a result of web browsing. Visiting 
certain web sites may initiate the download process.

Advanced
Troj/DownLd-ABF is an advertising related downloader Trojan for the 
Windows platform.

Troj/DownLd-ABF infects all HTML files on the computer, appending a 
SRC= link to a remote JavaScript file. This JavaScript simply uses 
document.write to append a new IFRAME element to the HTML file, with 
a SRC= link to a advertising related HTML page.

Troj/DownLd-ABF can arrive as a result of web browsing. Visiting 
certain web sites may initiate the download process.

When Troj/DownLd-ABF is installed the following files are typically 
created:

<Windows>\123.txt
<Windows>\1234.txt
<Windows>\edit.txt
<Windows>\ganran.txt
<System>\5640.exe
<System>\705.54755640.exe
<System>\winsock.exe
<Temporary Internet Files>\mh[1].exe

The following registry entry is created to run 5640.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
(Default)
<System>\5640.exe

 
--- MultiMail/Win32 v0.43
 * Origin: Doc's Place BBS Fido Since 1991 docsplace.tzo.com (1:123/140)