Text 195, 963 rader
Skriven 2007-07-08 19:05:00 av KURT WISMER
Ärende: News, July 8 2007
=========================
[cut-n-paste from sophos.com]
Name Troj/Ruby-B
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/Ruby-B is a Trojan for the Windows platform.
Advanced
Troj/Ruby-B is a Trojan for the Windows platform.
When first run Troj/Ruby-B copies itself to:
<System>\RubeL.exe
<System>\config\RubeL.exe
The following registry entry is created to run RubeL.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
RubeL
<System>\RubeL.exe
Name W32/Virut-L
Type
* Virus
Affected operating systems
* Windows
Prevalence (1-5) 2
Description
W32/Virut-L is a virus for the Windows platform.
W32/Virut-L infects executable files.
W32/Virut-L also contains functionality to connect to an IRC channel
and listen for instructions to download further executable code.
Name W32/Tilebot-JX
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Used in DOS attacks
Aliases
* Backdoor.Win32.VanBot.dj
* WORM_VANBOT.HB
Prevalence (1-5) 2
Description
W32/Tilebot-JX is a worm and IRC backdoor Trojan for the Windows
platform.
Advanced
W32/Tilebot-JX is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Tilebot-JX spreads
- to computers vulnerable to common exploits, including: ASN.1
(MS04-007)
- to MSSQL servers protected by weak passwords
- to network shares
W32/Tilebot-JX runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Tilebot-JX includes functionality to access the internet and
communicate with a remote server via HTTP. The worm may also attempt
to scan for and terminate certain anti-virus applications.
When first run W32/Tilebot-JX copies itself to <Windows>\ntvdm.exe.
W32/Tilebot-JX modifies the following files, affecting the system
file checker and command line file transfers:
<System>\sfc_os.dll
<System>\ftp.exe
<System>\tftp.exe
These files should be restored from a clean system backup.
W32/Tilebot-JX may create the files:
<System>\backup.ftp
<System>\backup.tftp
which are the original copies of ftp.exe and tftp.exe.
The file ntvdm.exe is registered as a new system driver service named
"NTVDM.", with a display name of "NTVDM." and a startup type of
automatic, so that it is started automatically during system startup.
Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\NTVDM.
The following registry entries are set, disabling system software:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
W32/Tilebot-JX sets the following registry entries, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4
Registry entries are set as follows:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SFCScan
0
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall
0
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall
0
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SFCDisable
ffffff9d
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe <Windows>\ntvdm.exe
Registry entries are created under:
HKLM\SOFTWARE\Microsoft\Security Center
HKLM\SOFTWARE\Symantec\LiveUpdate Admin
Name W32/Hoxi-A
Type
* Spyware Worm
How it spreads
* Removable storage devices
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Steals information
* Reduces system security
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Hoxi-A is a worm for the Windows platform.
Advanced
W32/Hoxi-A is a worm for the Windows platform.
When first run W32/Hoxi-A copies itself to:
- <Root>\IO.pif
- <Common Files>\services\svchost.exe
W32/Hoxi-A also creates the file <Root>\autorun.inf. This file is
also detected as W32/Hoxi-A.
The following registry entries are created to run W32/Hoxi-A on
startup:
HKLM\SOFTWARE\Microsoft\Active Setup\Installed
Components\{2bf41073-b2b1-21c1-b5c1-0701f4155588}
StubPath
<Common Files>\Services\svchost.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
(default)
<Common Files>\Services\svchost.exe
W32/Hoxi-A also attempts to spread by copying itself to:
- other network computers
- removeable shared drives as the filename <Root>\IO.pif. It does
this by creating the file <Root>\autorun.inf that contains
instructions to run the worm when the removeable drive is connected
to an uninfected computer.
W32/Hoxi-A includes functionality to:
- disable anti-virus applicatons
- disable security center
- steal passwords from Instant Messaging applications
Name W32/Agobot-AIW
Type
* Worm
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Prevalence (1-5) 2
Description
W32/Agobot-AIW is a worm for the Windows platform.
Advanced
W32/Agobot-AIW is a worm for the Windows platform.
W32/Agobot-AIW spreads
- to computers vulnerable to common exploits, including: PNP
(MS05-039) and ASN.1 (MS04-007)
- to network shares protected by weak passwords
W32/Agobot-AIW includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run W32/Agobot-AIW copies itself to <System>\svshost.exe
and creates the file <User>\Application Data\temp\ce2c623f.tmp.
The following registry entries are created to run svshost.exe on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Updates
svshost.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Updates
svshost.exe
Registry entries are set as follows:
HKCU\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
NoAutoUpdate
1
HKCU\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
AUOptions
1
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
NoAutoUpdate
1
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
AUOptions
1
Registry entries are created under:
HKCU\Software\Microsoft\Security Center
HKLM\SOFTWARE\Microsoft\Security Center
Name Troj/RKAgen-A
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Drops more malware
* Reduces system security
* Installs itself in the Registry
Aliases
* Rootkit.Win32.Agent.ea
* Trojan.Srizbi
Prevalence (1-5) 2
Description
Troj/RKAgen-A is a Trojan for the Windows platform.
Advanced
Troj/RKAgen-A is a Trojan for the Windows platform.
Troj/RKAgen-A drops the file <Windows>\system32\windbg48.sys. This
file is detected as Troj/RKAgen-Fam. This file is registered as a new
system driver service with a display name of "windbg48" and a startup
type of automatic, so that it is started automatically during system
startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\windbg48\
Name W32/Tilebot-JY
Type
* Spyware Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Steals information
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Used in DOS attacks
* Scans network for vulnerabilities
* Scans network for weak passwords
Prevalence (1-5) 2
Description
W32/Tilebot-JY is a network worm with backdoor functionality for the
Windows platform.
W32/Tilebot-JY spreads to other network computers by exploiting
common buffer overflow vulnerabilities, including: SRVSVC (MS06-040),
WKS (MS03-049) (CAN-2003-0812), PNP (MS05-039) and ASN.1 (MS04-007).
The worm may also spreads via network shares protected by weak
passwords.
W32/Tilebot-JY runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Tilebot-JY includes functionality to:
- set up an FTP server
- set up a proxy server
- steal information in the Protected Storage Area
- set or remove network shares
- port scanning
- packet sniffing
- start a remote shell (RLOGIN)
- access the internet and communicate with a remote server via HTTP
- harvest information from clipboard
- take part in Distributed Denial of Service (DDoS) attacks
Advanced
W32/Tilebot-JY is a network worm with backdoor functionality for the
Windows platform.
W32/Tilebot-JY spreads to other network computers by exploiting
common buffer overflow vulnerabilities, including: SRVSVC (MS06-040),
WKS (MS03-049) (CAN-2003-0812), PNP (MS05-039) and ASN.1 (MS04-007).
The worm may also spreads via network shares protected by weak
passwords.
W32/Tilebot-JY runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Tilebot-JY includes functionality to:
- set up an FTP server
- set up a proxy server
- steal information in the Protected Storage Area
- set or remove network shares
- port scanning
- packet sniffing
- start a remote shell (RLOGIN)
- access the internet and communicate with a remote server via HTTP
- harvest information from clipboard
- take part in Distributed Denial of Service (DDoS) attacks
When first run W32/Tilebot-JY copies itself to <Windows>\wuauclt.exe.
The file wuauclt.exe is registered as a new system driver service
named "automatic updates for Microsoft Windows", with a display name
of "automatic updates for Microsoft Windows" and a startup type of
automatic, so that it is started automatically during system startup.
Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\automatic updates for
Microsoft Windows
The following registry entries are set, disabling system software:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
W32/Tilebot-JY sets the following registry entries, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4
W32/Tilebot-JY attempts to disable the system file checker by
modifying sfc_os.dll or sfc.dll and setting the following registry
entries:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SFCScan
0
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SFCDisable
ffffff9d
The modified sfc_os.dll or sfc.dll is detected as "Disabled System
File Check DLL".
replaces the following files with a program that does nothing:
<Windows system folder>\ftp.exe
<Windows system folder>\tftp.exe
The original version of sfc_os.dll or sfc.dll is copied to <Windows
system folder>\trash<random number>.
The original versions of ftp.exe and tftp.exe are deleted.
Additional registry entries are set as follows:
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall
0
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall
0
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe <Windows>\wuauclt.exe
Registry entries are created under:
HKLM\SOFTWARE\Microsoft\Security Center
HKLM\SOFTWARE\Symantec\LiveUpdate Admin
Name W32/Punya-A
Type
* Worm
How it spreads
* Removable storage devices
Affected operating systems
* Windows
Side effects
* Reduces system security
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Punya-A is a worm for the Windows platform.
Advanced
W32/Punya-A is a worm for the Windows platform.
When the W32/Punya-A is installed, it copies itself to the following
locations:
\Punya Administrator.exe
\setup.bin
\dago\baru.exe
<Root>\Application Data\WINDOWS\CSRSS.EXE
<Root>\Application Data\WINDOWS\LSASS.EXE
<Root>\Application Data\WINDOWS\SERVICES.EXE
<Root>\Application Data\WINDOWS\SMSS.EXE
<Root>\Application Data\WINDOWS\WINLOGON.EXE
<System>\debug.cmd
<System>\evanta44.scr
<System>\fad.bin
<System>\fault.exe
<System>\Micro.exe
<System>\system.dll
<System>\tic.exe
<System>\Word.exe
The following files are created:
\loh.htm
\dago\Folder.htt
<Windows>\sys.bat
The following registry entries are created to run W32/Punya-A on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
AutoAdministrator
<Root>\Application Data\WINDOWS\SERVICES.EXE
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
CueX44_stil_here
<Root>\Application Data\WINDOWS\WINLOGON.EXE
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
dago
<System>\fault.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Task
<Root>\Application Data\WINDOWS\LSASS.EXE
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WinUpdateAdministrator
<Root>\Application Data\WINDOWS\CSRSS.EXE
The following registry entries are changed to run evanta44.scr and
Word.exe on startup:
HKCU\Control Panel\Desktop
SCRNSAVE.EXE
<System>\evanta44.SCR
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System>\userinit.exe,<System>\Word.exe
(the default value for this registry entry is
"<Windows>\System32\userinit.exe,").
The following registry entries are set or modified, so that Micro.exe
is run when files with extensions of BAT, COM and PIF are
opened/launched:
HKCR\lnkfile\shell\open\command
(Default)
<System>\Micro.exe" "%1" %*
HKCR\batfile\shell\open\command
(Default)
<System>\Micro.exe" "%1" %*
HKCR\comfile\shell\open\command
(Default)
<System>\Micro.exe" "%1" %*
HKCR\piffile\shell\open\command
(Default)
<System>\Micro.exe" "%1" %*
W32/Punya-A changes settings for Microsoft Internet Explorer,
including the Start Page, by modifying values under:
HKCU\Software\Microsoft\Internet Explorer\Main\
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
The following registry entries are set, disabling the registry editor
(regedit), the Windows task manager (taskmgr) and the command prompt:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableCMD
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
DisableRegistryTools
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
DisableTaskMgr
1
Registry entries are set as follows:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoFolderOptions
1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug
Debugger
<System>\debug.cmd
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe "<System>\IExplorer.exe"
Name Troj/WinSpy-O
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
Aliases
* Trojan-Spy.Win32.WinSpy.ag
Prevalence (1-5) 2
Description
Troj/WinSpy-O is a spyware Trojan for the Windows platform.
Advanced
Troj/WinSpy-O is a spyware Trojan for the Windows platform.
Registry entries are created under:
HKCR\MSWinsock.Winsock
Troj/WinSpy-O communicates with a remote server via HTTP.
Name W32/SillyFD-D
Type
* Worm
How it spreads
* Removable storage devices
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
* Leaves non-infected files on computer
Prevalence (1-5) 2
Description
W32/SillyFD-D is a worm for the Windows platform.
Advanced
W32/SillyFD-D is a worm for the Windows platform.
When first run W32/SillyFD-D copies itself to the following locations:
<Common Files>\Microsoft Shared\<Random 5 characters>.exe
<Program Files>\Internet Explorer\Connection Wizard\<Random 5
characters>.exe
<Program Files>\Windows Media Player\<Random 5 characters>.exe
<System>\<Random 5 characters>.exe
<System>\<Random 5 characters>.exe
<System>\<Random 5 characters>.exe
<System>\dllcache\<Random 5 characters>.exe
<System>\drivers\svchost.exe
<System>\drivers\<Random 5 characters>.exe
<System>\IME\<Random 5 characters>.exe
and creates the following files:
<Temp>\rs.bat
The file <System>\drivers\svchost.exe is registered as a system
driver service named "wuauserv" (replacing any existing services
named "wuauserv").
Registry entries are created or modified under:
HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
W32/SillyFD-D attempts to periodically copy itself to removeable
drives, including floppy drives and USB keys. The worm will attempt
to create a hidden file Autorun.inf on the removeable drive and copy
itself to the same location. The file Autorun.inf is designed to
start the worm once the removeable drive is connected to a uninfected
computer.
Name W32/Looked-DL
Type
* Virus
How it spreads
* Network shares
* Infected files
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Trojan-Dropper.Win32.Small.axi
* Win32/Viking.DB
* PE_LOOKED.ABM-O
Prevalence (1-5) 2
Description
W32/Looked-DL is a prepending virus and network worm for the Windows
platform.
W32/Looked-DL spreads via file sharing on P2P networks.
W32/Looked-DL runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer.
W32/Looked-DL includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
W32/Looked-DL is a prepending virus and network worm for the Windows
platform.
W32/Looked-DL spreads via file sharing on P2P networks.
W32/Looked-DL runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer.
W32/Looked-DL includes functionality to access the internet and
communicate with a remote server via HTTP.
When W32/Looked-DL is installed the following files are created:
<Windows>\Logo1_.exe
<Windows>\RichDll.dll
<Windows>\uninstall\\rundl132.exe
<System>\nlsloop.exe
These files are all detected as W32/Looked-DL.
W32/Looked-DL may also create many files with the name "_desktop.ini"
in various folders on the infected computer. These files are harmless
text files and can be deleted
The worm changes the following registry entry in order to be run
automatically on startup:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\
load
<Windows>\uninstall\rundl132.exe
Registry entries are created under:
HKLM\SOFTWARE\Soft\DownloadWWW\
Name W32/Poebot-KK
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Prevalence (1-5) 2
Description
W32/Poebot-KK is an worm with IRC backdoor functionality which allows
a remote intruder to gain access and control over the computer.
Advanced
W32/Poebot-KK is an worm with IRC backdoor functionality which allows
a remote intruder to gain access and control over the computer.
W32/Poebot-KK includes functionality to download, install and run new
software.
W32/Poebot-KK spreads to other network computers by exploiting common
vulnerabilities, including LSASS (MS04-011), SRVSVC (MS06-040),
RPC-DCOM (MS04-012) and PNP (MS05-039) .
When first run W32/Poebot-KK copies itself to <System>\iexplore.exe
or <Syetem>firewall.exe and creates a clean file <random
characters>.bat.
One of the following registry entries is created at the following
location to run the worm:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Internet Explorer
<System>\iexplore.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Network Firewall
<Syetem>firewall.exe
Name W32/Hupigon-SJ
Type
* Worm
How it spreads
* Chat programs
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Modifies data on the computer
* Downloads code from the internet
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Hupigon-SJ is a worm and IRC backdoor Trojan for the Windows
platform.
Advanced
W32/Hupigon-SJ is a worm and IRC backdoor Trojan for the Windows
platform.
When run W32/Hupigon-SJ copies itself to <Windows>\Cursors\lsasrv.exe.
The file lsasrv.exe is registered as a system service with the name
"LSaServ", with a display name of "Local Security Authority Server",
a description as "Controls local security and login policies." and a
startup type of automatic. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_LSASERV\
HKLM\SYSTEM\CurrentControlSet\Services\LSaServ\
W32/Hupigon-SJ attempts to spread via AOL Instant Messenger.
W32/Hupigon-SJ includes functionality to:
- download code from the internet
- setting AOL Instant Messenger profiles
--- MultiMail/Win32 v0.43
* Origin: Doc's Place BBS Fido Since 1991 docsplace.tzo.com (1:123/140)
|