Text 190, 849 rader
Skriven 2007-06-02 13:42:00 av KURT WISMER
Ärende: News, June 2 2007
=========================
[cut-n-paste from sophos.com]
Name Troj/Goldun-FZ
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
* Downloads code from the internet
Prevalence (1-5) 2
Description
Troj/Goldun-FZ is a Trojan for the Windows platform.
Advanced
Troj/Goldun-FZ is a Trojan for the Windows platform.
When run, the Trojan creates the file <System>\msdom2.dll and this
file is detected as Troj/Goldun-FZ.
Name W32/Looked-DW
Type
* Virus
How it spreads
* Network shares
* Infected files
Affected operating systems
* Windows
Side effects
* Modifies data on the computer
* Drops more malware
* Downloads code from the internet
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Looked-DW is a prepending virus and worm for the Windows platform.
Advanced
W32/Looked-DW is a prepending virus and worm for the Windows platform.
W32/Looked-DW spreads to other network computers.
W32/Looked-DW includes functionality to access the internet and
communicate with a remote server via HTTP. W32/Looked-DW may attempt
to download and execute additional files from a remote location.
When first run W32/Looked-DW copies itself to the following locations:
<Windows>\uninstall\rundl132.exe
<Windows>\logo1_.exe
and creates the file <Windows>\RichDll.dll.
The file RichDll.dll is also detected as W32/Looked-DW.
The following registry entry is created to run rundl132.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
load
<Windows>\uninstall\rundl132.exe
Registry entries are created under:
HKLM\SOFTWARE\Soft\DownloadWWW\
Name Troj/Mdrop-BPE
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Drops more malware
Prevalence (1-5) 2
Description
Troj/Mdrop-BPE is a Trojan for the Windows platform.
Advanced
Troj/Mdrop-BPE is a Trojan for the Windows platform.
When Troj/Mdrop-BPE is installed the following files are created:
<System>\exec1.exe - detected as W32/IRCBot-WA
<System>\exec2.exe - detected as Troj/Keygen-BI
Name W32/Seccmu-A
Type
* Worm
How it spreads
* Removable storage devices
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
Aliases
* Trojan.Win32.VB.pt
* Win32/VB.PT trojan
* WORM_VB.AK
Prevalence (1-5) 2
Description
W32/Seccmu-A is a worm for the Windows platform.
Advanced
W32/Seccmu-A is a worm for the Windows platform.
W32/Seccmu-A attempts to copy itself to C:\Windows\system32\csrs.exe
and A:\Practica3.exe, and sets the following registry entry to run
itself on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Action
C:\Windows\system32\csrs.exe
W32/Seccmu-A generates a fake error message box with the title "Error
de ejecucion" and the text "Practica3.xls Danado".
Name Troj/Kimat-C
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
* Modifies browser settings
Prevalence (1-5) 2
Description
Troj/Kimat-C is a Trojan for the Windows platform.
Advanced
Troj/Kimat-C is a Trojan for the Windows platform.
When first run Troj/Kimat-C copies itself to:
<User>\Templates\winword.doc.exe
<User>\Templates\winword2.doc.exe
<CurrentFolder>\sample1.doc.exe
<Root>\Tiara Lestari.exe
<Root>\goats\SAMPLE1.DOC.exe
<Root>\sample1.doc.exe
<System>\config\systemprofile\Templates\winword.doc.exe
<System>\config\systemprofile\Templates\winword2.doc.exe
<Windows>\zistro.exe
The following registry entry is created to run zistro.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
test
<Windows>\zistro.exe
The following registry entry is set, disabling system software:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
Registry entries are set as follows:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegedit
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder
\Hidden\SHOWALL
DefaultValue
1
Name W32/Fujacks-AK
Type
* Virus
How it spreads
* Removable storage devices
* Network shares
* Infected files
Affected operating systems
* Windows
Side effects
* Drops more malware
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
* Leaves non-infected files on computer
Prevalence (1-5) 2
Description
W32/Fujacks-AK is an attempted virus and worm for the Windows platform.
W32/Fujacks-AK spreads to other network computers through available
network shares and removeable storage devices by coping itself with
the filenames GameSetup.exe and setup.exe correspondingly.
W32/Fujacks-AK also creates the file autorun.inf to ensure that the
file setup.exe is executed.
Advanced
W32/Fujacks-AK is an attempted virus and worm for the Windows platform.
W32/Fujacks-AK spreads to other network computers through available
network shares and removeable storage devices by coping itself with
the filenames GameSetup.exe and setup.exe correspondingly.
W32/Fujacks-AK also creates the file autorun.inf to ensure that the
file setup.exe is executed.
W32/Fujacks-AK includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run W32/Fujacks-AK copies itself to
<System>\drivers\spoclsv.exe.
<Root>\setup.exe.
<Root>\autorun.inf. - This file can be safely deleted.
The following registry entry is created to run spoclsv.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
svcshare
<System>\drivers\spoclsv.exe
The following registry entry is set:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder
\Hidden\SHOWALL
CheckedValue
0
W32/Fujacks-AK searches for EXE files in attempt to infect them and
creates Desktop_.ini file every time when succeed. This file may be
safely deleted.
W32/Fujacks-AK includes functionality to delete shares including the
Admin$ share.
W32/Fujacks-AK attempts to periodically copy itself to removeable
drives, including floppy drives and USB keys. The worm will attempt
to create a hidden file Autorun.inf on the removeable drive and copy
itself to the same location. The file Autorun.inf is designed to
start the worm once the removeable drive is connected to a uninfected
computer.
Name Troj/LdPinch-QW
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
Aliases
* Trojan-PSW.Win32.LdPinch.bvf
Prevalence (1-5) 2
Description
Troj/LdPinch-QW is a Trojan for the Windows platform.
Name Troj/BHO-CC
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Installs a browser helper object
Prevalence (1-5) 2
Description
Troj/BHO-CC is a Trojan for the Windows platform.
Troj/BHO-CC may register itself as a browser helper object for
Internet Explorer. When installed, it may steal user browsing habits
and redirect searches.
Advanced
Troj/BHO-CC is a Trojan for the Windows platform.
Troj/BHO-CC may register itself as a browser helper object for
Internet Explorer. When installed, it may steal user browsing habits
and redirect searches.
Name Mal/Behav-043
Type
* Malicious Behavior
Affected operating systems
* Windows
Prevalence (1-5) 2
Description
Mal/Behav-043 is a malicious file for the Windows platform.
Advanced
Mal/Behav-043 is a malicious file for the Windows platform.
Name W32/Poebot-LP
Type
* Spyware Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Reduces system security
* Records keystrokes
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Used in DOS attacks
* Scans network for vulnerabilities
* Scans network for weak passwords
Prevalence (1-5) 2
Description
W32/Poebot-LP is a worm for the Windows platform.
The worm spreads through network shares protected by weak passwords
and through operating system vulnerabilities such as LSASS
(MS04-011), RPC-DCOM (MS04-012), PNP (MS05-039), SRVSVC (MS06-040)
and Dameware (CAN-2003-1030).
The backdoor component of W32/Poebot-LP connects to a predefined IRC
server and awaits commands from remote attackers. The backdoor
component of W32/Poebot-LP can be instructed by a remote user to
perform the following functions:
- start an FTP server
- start a proxy server
- start a web server
- take part in distributed denial of service (DDoS) attacks
- log keypresses
- capture screen/webcam images
- packet sniffing
- port scanning
- download/execute arbitrary files
- start a remote shell (RLOGIN)
- steals information from the Protected Storage Area
- steal product registration information from certain software
Advanced
W32/Poebot-LP is a worm for the Windows platform.
The worm spreads through network shares protected by weak passwords
and through operating system vulnerabilities such as LSASS
(MS04-011), RPC-DCOM (MS04-012), PNP (MS05-039), SRVSVC (MS06-040)
and Dameware (CAN-2003-1030).
The backdoor component of W32/Poebot-LP connects to a predefined IRC
server and awaits commands from remote attackers. The backdoor
component of W32/Poebot-LP can be instructed by a remote user to
perform the following functions:
- start an FTP server
- start a proxy server
- start a web server
- take part in distributed denial of service (DDoS) attacks
- log keypresses
- capture screen/webcam images
- packet sniffing
- port scanning
- download/execute arbitrary files
- start a remote shell (RLOGIN)
- steals information from the Protected Storage Area
- steal product registration information from certain software
When first run, W32/Poebot-LP copies itself to <Windows system
folder>\lsass.exe
W32/Poebot-LP sets the following registry entry to start at system
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Local Security Authority Servce
<Windows system folder>\lssas.exe
Name W32/Fujacks-AL
Type
* Virus
How it spreads
* Removable storage devices
* Network shares
* Infected files
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Modifies data on the computer
* Steals information
* Downloads code from the internet
* Reduces system security
* Records keystrokes
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Fujacks-AL is a virus for the Windows platform.
Advanced
W32/Fujacks-AL is a virus for the Windows platform.
W32/Fujacks-AL spreads to other network computers.
W32/Fujacks-AL includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run W32/Fujacks-AL copies itself to
<System>\drivers\ncscv32.exe.
The following registry entry is created to run ncscv32.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
nvscv32
<System>\drivers\ncscv32.exe
The following registry entry is set:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder
\Hidden\SHOWALL
CheckedValue
0
W32/Fujacks-AL attempts to periodically copy itself to removeable
drives, including floppy drives and USB keys. The worm will attempt
to create a hidden file Autorun.inf on the removeable drive and copy
itself to the same location. The file Autorun.inf is designed to
start the virus once the removeable drive is connected to a
uninfected computer.
Name Troj/Torpig-BV
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Prevalence (1-5) 2
Description
Troj/Torpig-BV is a downloader Trojan for the Windows platform.
Advanced
Troj/Torpig-BV is a downloader Trojan for the Windows platform.
When run Troj/Torpig-BV creates the file \clean_4392d.dll. This file
is also detected as Troj/Torpig-BV.
Troj/Torpig-BV attempts to install the a service with the name
"ldrsvc".
Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_LDRSVC\
HKLM\SYSTEM\CurrentControlSet\Services\ldrsvc\
Name W32/Tilebot-JS
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Tilebot-JS is a backdoor worm for the Windows platform which
allows a remote intruder to gain access and control over the computer.
Advanced
W32/Tilebot-JS is a backdoor worm for the Windows platform which
allows a remote intruder to gain access and control over the computer.
W32/Tilebot-JS includes functionality to access the internet and
communicate with a remote server via HTTP.
W32/Tilebot-JS patches the Windows executable files ftp.exe and
tftp.exe so that they no longer function. W32/Tilebot-JS also patches
the Windows system file sfc_os.dll to disable Windows system file
checking.
When first run W32/Tilebot-JS copies itself to <Windows>\iexplore.exe.
The file iexplore.exe is registered as a new system driver service
named "Microsoft Internet Explorer", with a display name of
"Microsoft Internet Explorer" and a startup type of automatic, so
that it is started automatically during system startup. Registry
entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\Microsoft Internet Explorer
Registry entries are set as follows:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SFCScan
0
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SFCDisable
ffffff9d
Name W32/SillyFDC-HO
Type
* Worm
How it spreads
* Removable storage devices
Affected operating systems
* Windows
Side effects
* Modifies data on the computer
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/SillyFDC-HO is a worm for the Windows platform.
Advanced
W32/SillyFDC-HO is a worm for the Windows platform.
When run W32/SillyFDC-HO enumerates all the folders on the infected
computer and copies itself to those folders with that same folder
name but appended with an .exe file extension.
W32/SillyFDC-HO copies itself to <Windows>\windows.exe and sets the
following registry entry to run itself on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
gpmce
<Windows>\windows.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system
DisableRegistryTools
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system
DisableTaskMgr
1
HKCU\Software\Policies\Microsoft\Windows\System
disableCMD
2
HKCU\Software\Microsoft\Internet Explorer\Main
Start Page
www.booble.com
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
DisableThumbnailCache
1
Name W32/Bagle-WX
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Sends itself to email addresses found on the infected computer
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Bagle-WX is a worm for the Windows platform.
Advanced
W32/Bagle-WX is a worm for the Windows platform.
W32/Bagle-WX creates the file <Application Data>\hidires\m_hook.sys.
This file is registered as a service named "m_hook" with a startup
type of automatic. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_M_HOOK\
HKLM\SYSTEM\CurrentControlSet\Services\m_hook\
The file m_hook.sys is also detected as W32/Bagle-WX.
The following registry entries are set:
HKLM\SYSTEM\CurrentControlSet\Services\Alerter
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\Ndisuio
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Start
4
Name W32/Bagle-SR
Type
* Worm
How it spreads
* Email messages
* Email attachments
Affected operating systems
* Windows
Side effects
* Sends itself to email addresses found on the infected computer
* Drops more malware
* Downloads code from the internet
Prevalence (1-5) 2
Description
W32/Bagle-SR is a worm for the Windows platform.
Advanced
W32/Bagle-SR is a worm for the Windows platform.
When run W32/Bagle-SR creates the files:
- \Local settings\Temp\~3.exe - detected as W32/Bagle-WX
- \Local settings\Temp\~4.exe - detected as Troj/BagleDL-PQ
- \Local settings\Temp\~5.exe - detected as W32/Bagle-WW
W32/Bagle also creates the following files which are harmless and can
be safely deleted:
- \Local settings\Temp\~3.tmp
- \Local settings\Temp\~4.tmp
- \Local settings\Temp\~5.tmp
W32/Bagle-SR creates the file \hidires\m_hook.sys which is detected
as W32/Bagle-WX. This file is registered as a service named "m_hook"
with a startup type of automatic. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_M_HOOK\
HKLM\SYSTEM\CurrentControlSet\Services\m_hook\
The following registry entries are set:
HKLM\SYSTEM\CurrentControlSet\Services\Alerter
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\Ndisuio
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Start
4
Name W32/Looked-DH
Type
* Virus
How it spreads
* Network shares
* Infected files
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
Aliases
* Worm.Win32.Viking.lr
* Win32/Viking.DC
Prevalence (1-5) 2
Description
W32/Looked-DH is a virus for the Windows platform.
Advanced
W32/Looked-DH is a virus for the Windows platform.
When first run W32/Looked-DH unsuccessfully copies itself to:
<Current>\<original filename>.exe
<Windows>\uninstall\rundl132.exe
<Windows>\Logo1_.exe
The above files are a corrupt version of the original and may simply
be deleted.
W32/Looked-DH creates the following registry entry to start itself:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
load
<Windows>\uninstall\rundl132.exe
--- MultiMail/Win32 v0.43
* Origin: Doc's Place BBS Fido Since 1991 docsplace.tzo.com (1:123/140)
|