Tillbaka till svenska Fidonet
English   Information   Debug  
COMICS   0/15
CONSPRCY   0/899
COOKING   32896
COOKING_OLD1   0/24719
COOKING_OLD2   0/40862
COOKING_OLD3   0/37489
COOKING_OLD4   0/35496
COOKING_OLD5   9370
C_ECHO   0/189
C_PLUSPLUS   0/31
DIRTY_DOZEN   0/201
DOORGAMES   0/2056
DOS_INTERNET   0/196
duplikat   6002
ECHOLIST   0/18295
EC_SUPPORT   0/318
ELECTRONICS   0/359
ELEKTRONIK.GER   1534
ENET.LINGUISTIC   0/13
ENET.POLITICS   0/4
ENET.SOFT   0/11701
ENET.SYSOP   33903
ENET.TALKS   0/32
ENGLISH_TUTOR   0/2000
EVOLUTION   0/1335
FDECHO   0/217
FDN_ANNOUNCE   0/7068
FIDONEWS   24125
FIDONEWS_OLD1   0/49742
FIDONEWS_OLD2   0/35949
FIDONEWS_OLD3   0/30874
FIDONEWS_OLD4   0/37224
FIDO_SYSOP   12852
FIDO_UTIL   0/180
FILEFIND   0/209
FILEGATE   0/212
FILM   0/18
FNEWS_PUBLISH   4408
FN_SYSOP   41678
FN_SYSOP_OLD1   71952
FTP_FIDO   0/2
FTSC_PUBLIC   0/13599
FUNNY   0/4886
GENEALOGY.EUR   0/71
GET_INFO   105
GOLDED   0/408
HAM   0/16070
HOLYSMOKE   0/6791
HOT_SITES   0/1
HTMLEDIT   0/71
HUB203   466
HUB_100   264
HUB_400   39
HUMOR   0/29
IC   0/2851
INTERNET   0/424
INTERUSER   0/3
IP_CONNECT   719
JAMNNTPD   0/233
JAMTLAND   0/47
KATTY_KORNER   0/41
LAN   0/16
LINUX-USER   0/19
LINUXHELP   0/1155
LINUX   0/22092
LINUX_BBS   0/957
mail   18.68
mail_fore_ok   249
MENSA   0/341
MODERATOR   0/102
MONTE   0/992
MOSCOW_OKLAHOMA   0/1245
MUFFIN   0/783
MUSIC   0/321
N203_STAT   926
N203_SYSCHAT   313
NET203   321
NET204   69
NET_DEV   0/10
NORD.ADMIN   0/101
NORD.CHAT   0/2572
NORD.FIDONET   189
NORD.HARDWARE   0/28
NORD.KULTUR   0/114
NORD.PROG   0/32
NORD.SOFTWARE   0/88
NORD.TEKNIK   0/58
NORD   0/453
OCCULT_CHAT   0/93
OS2BBS   0/787
OS2DOSBBS   0/580
OS2HW   0/42
OS2INET   0/37
OS2LAN   0/134
OS2PROG   0/36
OS2REXX   0/113
OS2USER-L   207
OS2   0/4786
OSDEBATE   0/18996
PASCAL   0/490
PERL   0/457
PHP   0/45
POINTS   0/405
POLITICS   0/29554
POL_INC   0/14731
PSION   103
R20_ADMIN   1121
R20_AMATORRADIO   0/2
R20_BEST_OF_FIDONET   13
R20_CHAT   0/893
R20_DEPP   0/3
R20_DEV   399
R20_ECHO2   1379
R20_ECHOPRES   0/35
R20_ESTAT   0/719
R20_FIDONETPROG...
...RAM.MYPOINT
  0/2
R20_FIDONETPROGRAM   0/22
R20_FIDONET   0/248
R20_FILEFIND   0/24
R20_FILEFOUND   0/22
R20_HIFI   0/3
R20_INFO2   3218
R20_INTERNET   0/12940
R20_INTRESSE   0/60
R20_INTR_KOM   0/99
R20_KANDIDAT.CHAT   42
R20_KANDIDAT   28
R20_KOM_DEV   112
R20_KONTROLL   0/13270
R20_KORSET   0/18
R20_LOKALTRAFIK   0/24
R20_MODERATOR   0/1852
R20_NC   76
R20_NET200   245
R20_NETWORK.OTH...
...ERNETS
  0/13
R20_OPERATIVSYS...
...TEM.LINUX
  0/44
R20_PROGRAMVAROR   0/1
R20_REC2NEC   534
R20_SFOSM   0/340
R20_SF   0/108
R20_SPRAK.ENGLISH   0/1
R20_SQUISH   107
R20_TEST   2
R20_WORST_OF_FIDONET   12
RAR   0/9
RA_MULTI   106
RA_UTIL   0/162
REGCON.EUR   0/2056
REGCON   0/13
SCIENCE   0/1206
SF   0/239
SHAREWARE_SUPPORT   0/5146
SHAREWRE   0/14
SIMPSONS   0/169
STATS_OLD1   0/2539.065
STATS_OLD2   0/2530
STATS_OLD3   0/2395.095
STATS_OLD4   0/1692.25
SURVIVOR   0/495
SYSOPS_CORNER   0/3
SYSOP   0/84
TAGLINES   0/112
TEAMOS2   0/4530
TECH   0/2617
TEST.444   0/105
TRAPDOOR   0/19
TREK   0/755
TUB   0/290
UFO   0/40
UNIX   0/1316
USA_EURLINK   0/102
USR_MODEMS   0/1
VATICAN   0/2740
VIETNAM_VETS   0/14
VIRUS   0/378
VIRUS_INFO   0/201
VISUAL_BASIC   0/473
WHITEHOUSE   0/5187
WIN2000   0/101
WIN32   0/30
WIN95   0/4288
WIN95_OLD1   0/70272
WINDOWS   0/1517
WWB_SYSOP   0/419
WWB_TECH   0/810
ZCC-PUBLIC   0/1
ZEC   4

 
4DOS   0/134
ABORTION   0/7
ALASKA_CHAT   0/506
ALLFIX_FILE   0/1313
ALLFIX_FILE_OLD1   0/7997
ALT_DOS   0/152
AMATEUR_RADIO   0/1039
AMIGASALE   0/14
AMIGA   0/331
AMIGA_INT   0/1
AMIGA_PROG   0/20
AMIGA_SYSOP   0/26
ANIME   0/15
ARGUS   0/924
ASCII_ART   0/340
ASIAN_LINK   0/651
ASTRONOMY   0/417
AUDIO   0/92
AUTOMOBILE_RACING   0/105
BABYLON5   0/17862
BAG   135
BATPOWER   0/361
BBBS.ENGLISH   0/382
BBSLAW   0/109
BBS_ADS   0/5290
BBS_INTERNET   0/507
BIBLE   0/3563
BINKD   0/1119
BINKLEY   0/215
BLUEWAVE   0/2173
CABLE_MODEMS   0/25
CBM   0/46
CDRECORD   0/66
CDROM   0/20
CLASSIC_COMPUTER   0/378
Möte DIRTY_DOZEN, 201 texter
 lista första sista föregående nästa
Text 2, 1365 rader
Skriven 2004-09-19 14:46:00 av KURT WISMER (1:123/140)
Ärende: News, Sept. 19 2004
===========================
[cut-n-paste from sophos.com]

Name   W32/Mydoom-Y

Type  
    * Worm

How it spreads  
    * Email attachments

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Sends itself to email addresses found on the infected computer
    * Stops the computer from booting
    * Forges the sender's email address

Aliases  
    * Win32.Evaman.D@mm
    * W32/Evaman.e@MM
    * I-Worm.Mydoom.w

Prevalence (1-5) 2

Description
W32/MyDoom-Y is a mass-mailing internet worm for the Windows platform.

When executed W32/MyDoom-Y will attempt to connect to the URL

After 1am December 1st 2004 W32/MyDoom-Y will shut down the machine 
whenever it is started.

Advanced
W32/MyDoom-Y is a mass-mailing internet worm for the Windows platform.

When executed W32/MyDoom-Y will attempt to connect to the URL

http://www.microsucks.com.

W32/MyDoom-Y will then copy itself to the default SYSTEM folder as the 
file SYSHOSTS.EXE and will set one of the following registry entries to 
run itself on system restart:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MS Updates
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MS Updates

The registry entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SYSHOSTS

will be created to act as an infection marker for the worm.

W32/MyDoom-Y will attempt to send itself as an email attachment to 
messages with the following characteristics:

Subject: This field will be either "album" or "You've got a virtual 
postcard!"

Body: This field will either be

"My pics...*sexy*. Heheh! ;)"

or

"You have just received a new postcard from Fleshecard.com!

From: <sender name>

To pick up your postcard follow this web address

http://www.flashecard.com.viewcard.main.ecard.php2342

or click the attached link. We hope you enjoy your postcard, and if
you do, please take a moment to send a few yourself!

http://www.flashecard.com

(Your message will be available for 30 days.)

Please visit our site for more information."

Attachment: the attachment name will either be "Photos_album" or
"www.flashecard.com?postcard=viewcard?download" followed by either one 
of the extensions SCR or HTML.SCR

W32/MyDoom-Y will reference the registry entry

HKCU\Software\Microsoft\WAB\WAB4\WAB File Name

to obtain the windows address book file it will then attempt to send 
itself to all contacts listed in the file before searching files with 
the following extensions found in the Temporary Internet Files folder:

htmb
htmbl
shtl
phpq
emll
msgq
aspd
dbxn
tbbg
adbh
wab

W32/MyDoom-Y will not send emails out to addresses that include any of 
the following strings in their names:

syma
msn
hotmail
anda
opho
borlan
npris
xample
mydom
@domai
ruslis
.gov
.mil
@foo
berkley
unix
math
bsd
mit.e
gnu
fsf
ibm
oogle
kernel
linux
fido
senet
@iana
ripe
isi.e
arin
rfc-ed
isc.o
ecur
acketst
pgp
tanford.e
utgers.ed
ample
info
root@
ostmaster@
ebmaster@
you
ugs@
ating@
ontact@
soft
rivacy
ervice
help
ubmit@
feste
cert
page
upport
ntivi
istser
ertific
ccoun
spm
Spam
SPAM
spam
abuse
cafee
@messagelab
@avp
kasp
winzip
winrar
pdate
irus
ahoo
buse@
sale

W32/MyDoom-Y will spoof the senders email address to appear to have 
originated from any of the following domains:

@aol.com
@hotmail.com
@yahoo.com
@msn.com
@excite.com
@mail.com

The senders name will be selected at random from the list:

Jennifer
Barbara
Linda
Susan
Eric
Kevin
Mary
Robert
John
Maria
Alex
Pamela
Anna
Andrew
Fred
Jack
James
Julie
Debby
Claudia
Matt
Brent

W32/MyDoom-Y will attempt to terminate any running processes found which 
include the following strings as part of their name

task
msconfig
AV
MC
ieframe
nti
iru
ire
cc
ecu
can
scn
kv
fr
regedit

W32/MyDoom-Y will create a Mutex with the label hola_back_bitches.

After 1am December 1st 2004 W32/MyDoom-Y will shut down the machine 
whenever it is started.





Name   W32/Forbot-AE

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Steals information
    * Exploits system or software vulnerabilities

Aliases  
    * Backdoor.Win32.Wootbot.gen
    * W32/Gaobot.worm.gen.f

Prevalence (1-5) 2

Description
W32/Forbot-AE is a member of the W32/Forbot family of internet worms
that spread by scanning for and exploiting known vulnerabilities of 
Windows operating systems.

The worm connects to a remote IRC server and allows a malicious user to
remotely control an infected computer.

Advanced
W32/Forbot-AE is a member of the W32/Forbot family of internet worms 
that spread by scanning for and exploiting known vulnerabilities of 
Windows operating systems.

In order to run automatically when Windows starts up the worm copies 
itself to the file videosd32.exe in the Windows system folder and adds 
the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Win32 Configuration
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\Win32 
Configuration
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32 
Configuration
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Win32 Configuration
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\Win32 
Configuration.

The worm also adds an entry

HKCU\Software\Microsoft\Internet Explorer\Explorer 
Bars\<clsid>\FilesNamedMRU

pointing to itself where CLSID is a randomly generated classid value.

In addition W32/Forbot-AE registers itself to run as the service Windows 
Manage with the display name Win32 Configuration.

The worm connects to a remote IRC server and allows a malicious user to
remotely control an infected computer.





Name   W32/Squirrel-A

Type  
    * Virus

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Modifies data on the computer

Prevalence (1-5) 2

Description
W32/Squirrel-A is an appending virus.

Advanced
W32/Squirrel-A is an appending virus.

W32/Squirrel-A attempts to infect Windows executable files with file 
extension 'exe', 'EXE', or 'scr'. The virus searches drives C: to Z: for 
such files, as well as available network resources.

W32/Squirrel-A deletes appended data from files it infects. This means 
certain files will not be fully recoverable by disinfection.





Name   W32/Sdbot-PJ

Type  
    * Worm

How it spreads  
    * Email attachments

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Downloads code from the internet
    * Installs itself in the Registry
    * Used in DOS attacks

Aliases  
    * Backdoor.SdBot.gen

Prevalence (1-5) 2

Description
W32/Sdbot-PJ is a worm which attempts to spread to remote network shares 
protected by weak passwords.

Advanced
W32/Sdbot-PJ is a worm which attempts to spread to remote network shares 
protected by weak passwords.

W32/Sdbot-PJ contains backdoor Trojan functionality allowing unauthorised 
remote access to the infected computer via IRC channels while running in 
the background as a service process.

W32/Sdbot-PJ copies itself to the Windows system folder as msnmngr.exe 
and creates the following registry entries to ensure it is run at system 
logon:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Microsofts Help Services = msnmngr.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsofts Help Services = msnmngr.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsofts Help Services = msnmngr.exe

W32/Sdbot-PJ can also download and execute remote files on the infected 
computer and flood other computers with network packets.





Name   W32/Sdbot-PI

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Steals information
    * Installs itself in the Registry
    * Used in DOS attacks

Aliases  
    * Trojan.Win32.Pakes

Prevalence (1-5) 2

Description
W32/Sdbot-PI is a network worm and backdoor for the Windows platform. 
The worm spreads to shared folders with weak passwords.

The backdoor component connects to a predefined IRC server and waits for 
commands from a remote attacker.

Advanced
W32/Sdbot-PI is a network worm and backdoor for the Windows platform. 
The worm spreads to shared folders with weak passwords.

The backdoor component connects to a predefined IRC server and waits for 
commands from a remote attacker.

When run W32/Sdbot-PI copies itself to the Windows system folder as 
ntlogin32.exe. The worm ensures that the copy is run each time Windows 
starts by adding the registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Windows NT Login = "ntlogin32.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Windows NT Login = "ntlogin32.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Windows NT Login = "ntlogin32.exe"

The backdoor component allows a remote attacker to:

transfer files to and from the infected computer
steal CD keys for certain game software
use the infected computer as a proxy server
launch distributed denial of service attacks





Name   W32/MyDoom-Z

Type  
    * Worm

How it spreads  
    * Email messages
    * Chat programs
    * Peer-to-peer

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Allows others to access the computer
    * Sends itself to email addresses found on the infected computer
    * Drops more malware
    * Forges the sender's email address

Aliases  
    * I-Worm.Mydoom.y

Prevalence (1-5) 2

Description
W32/MyDoom-Z is a network and email worm which also contains backdoor 
functionality. The worm spreads by emailing itself and copying itself 
into Kazaa shared folders.

Advanced
W32/MyDoom-Z is a network and email worm which also contains backdoor 
functionality.

The worm forges the 'from' address on email that it sends. The email 
will have a fake from address, apparently from a domain that provides 
free email accounts.

The email has the following characteristics:

Subject line :

Fw: remember me?__
Fw: hi
Fw: hello sweety :>
Fw: my photos
Fw: that's me :-d
Fw: (no subject)
Fw: it's me
Fw: hi, it's me
Fw: 2 new photos
Fw: new photos
Fw: jenna's photos :)
Remember me?__
Hi
Hello sweety :>
My photos
That's me :-d
(no subject)
It's me
Hi, it's me
2 new photos
New photos
Look!_0
Fw: cool
:))
:)
Fw:
Re:
Re[2]:
Fw:cool
Re:cool
Re[2]:cool
Fw:cool!
Re:cool!
Re[2]:cool!
Fw:fun pictures
Re:fun pictures
Re[2]:fun pictures
Fw:fun pictures
Re:fun pictures
Re[2]:fun pictures
Re:fun pictures

Attached file:

Photos.arc.cpl
My.photos.cpl
Newphotos.cpl
New.photos.cpl
Photo.se.cpl
Foto.cpl
Fotos.cpl
My.foto.cpl
Arc.cpl
Photofile.cpl
Photoarchive.cpl
Myfoto.cpl
Photos.arc.exe
My.photos.exe
Myphotos.arc.exe
Newphotos.exe
New.photos.exe
Photo.se.exe
Photos.exe.safe
Foto.exe
Fotos.exe
My.foto.exe
Arc.exe
Photofile.exe
Photoarchive.exe
Photos.selfextracting.exe
Myfoto.exe
Julia038.jpg(lots of space).pif
Marie.dancing.jpg(lots of space).pif
Nude..jpg(lots of space).pif
Photo08.jpg(lots of space).pif
Sunny.jpg(lots of space).pif
With.flowers.jpg(lots of space).pif
2004042301.jpg(lots of space).pif
Me.01.jpg(lots of space).pif
Dcp.0002.jpg(lots of space).pif
Black.gif(lots of space).pif
Photo.jpg(lots of space).pif
Pic.jpg(lots of space).pif
Document.jpg(lots of space).pif
Flowers.jpg(lots of space).pif
Me.01.jpg(lots of space).pif
My.photo.jpg(lots of space).pif

The worm may also arrive in a ZIP file named:
Photos.zip
Myphotos.zip
My.photos.zip
Fotos.zip
Images.zip
New.photos.zip
Pic.zip
New.pic.zip
Arhive.zip

W32/MyDoom-Z also spreads via the Kazaa peer to peer network by dropping 
copies of itself in the Kazaa shared folder. Also, the worm may send ICQ 
messages to other users with the following lines:

"funy game http://www.scionicmusic.com/a"...
"i now play in game http://www.scionicmu"...
"my photos (archived) http://www.llc.uni"...
"http://www.llc.unibo.it/claroline142/ph"...
"http://www.llc.unibo.it/claroline142/ph"...
"http://65.110.51.150/icon/game.exe LOL!"...
"best game http://65.110.51.150/icon/gam"...
"http://64.40.98.94/icon/game.exe funny "...
"http://64.40.98.94/icon/game.exe :-):-)"...
"funn http://64.40.98.94/icon/game.exe :"...

When W32/MyDoom-Z is run it copies itself to services.exe in the Windows 
folder or nb32ext.txt in the Windows system folder and creates the 
following registry entry pointing to the above copies to ensure it is 
run at system logon:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
RPCserv

HKLM\System\CurrentControlSet\Services\
NetBios ext

W32/MyDoom-Z will also disable registry editing tools by setting:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\
DisableRegistryTools = 0

The worm will also allow itself to bypass the firewall by modifying 
registry entry in:

HKLM\System\CurrentControlSet???\Services\SharedAccress\
DomainProfile\AuthorizedApplications\LIst

W32/MyDoom-Z will also attempt to terminate any security related process 
on the system and modify the host table in 
<Windows system folder>\drivers\etc\hosts to prevent access to security 
related websites.

W32/MyDoom-Z may also download further components from predefined 
websites. These files contain W32/Surila-C.





Name   W32/Rbot-JR

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Allows others to access the computer
    * Steals information
    * Reduces system security
    * Installs itself in the Registry

Aliases  
    * Backdoor.Rbot.gen
    * WORM_RBOT.LU

Prevalence (1-5) 2

Description
W32/Rbot-JR is a member of the W32/Rbot family of worms with a backdoor 
component.

When active W32/Rbot-JR attempts to connect to a remote IRC server and 
enables a malicious user to remotely control the infected computer via a 
specific IRC channel. It will also attempt to shut off any AV-related 
program.

Advanced
W32/Rbot-JR is a member of the W32/Rbot family of worms with a backdoor 
component.

When active W32/Rbot-JR attempts to connect to a remote IRC server and 
enables a malicious user to remotely control the infected computer via a 
specific IRC channel. It will also attempt to shut off any AV-related 
program.

In order to run automatically when Windows starts up the worm copies 
itself to the file lshost.exe in the Windows system folder and adds the 
following registry entries pointing to this file:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Generic Host Service
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Generic Host Service

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Generic Host Service

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices\
Generic Host Service

The worm also adds the following registry entries:

HKLM\SOFTWARE\Microsoft\Ole\Generic Host Service = "lshost.exe"

HKCU\Software\Microsoft\OLE\Generic Host Service = "lshost.exe"

and sets the entries:

HKLM\SYSTEM\ControlSet001\Control\Lsa\restrictanonymous = 1

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous = 1

HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM = "N"

W32/Rbot-JR is capable of the following when instructed by an intruder:

- Capture webcam feed
- Search for CDkeys related to games
- Open remote command prompt
- Download/Upload files
- Carry out DDos
- Capture Windows NT/2000 Login password
- Start Keylogger
- Sniff traffic on network





Name   W32/Lovgate-X

Type  
    * Worm

Aliases  
    * I-Worm.LovGate.q
    * Win32/Lovgate.X
    * WORM_LOVGATE.Q

Prevalence (1-5) 2

Description
W32/Lovgate-X is a worm with the backdoor functionality that spreads via 
email, network shares with weak passwords and filesharing networks.

W32/Lovgate-X may arrive in the email with the following characteristics:
Subject line: chosen from -
test
hi
hello
Mail Delivery System
Mail Transaction Failed
Server Report
Status
Error

Message text: chosen from -
It's the long-awaited film version of the Broadway hit. The message sent 
as a binary attachment.

The message contains Unicode characters and has been sent as a binary 
attachment.

Mail failed. For further assistance, please contact!

Attachment name: chosen from -
document
readme
doc
text
file
data
test
message
body

followed by .bat, .cmd, .exe, .pif or .scr

When executed W32/Lovgate-X creates the service "NetMeeting Remote 
Sharing," copies itself to the Windows folder with the filename 
Systra.exe and to the Windows system folder with the filenames 
iexplore.exe, Winexe.exe, avmond.exe, WinHelp.exe and Kernel66.dll.

W32/Lovgate-X extracts the backdoor components to the Windows system 
folder as ODBC16.DLL, msjdbc11.dll and MSSIGN30.DLL (detected as 
W32/Lovgate-W).

In order to run automatically when Windows starts up W32/Lovgate-X 
creates the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\SystemTra
= C:\WINDOWS\SysTra.EXE

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
VFW Encoder/Decoder Settings = "RUNDLL32.EXE MSSIGN30.DLL ondll_reg"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Program In Windows
= "C:\\WINDOWS\\System32\\IEXPLORE.EXE"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Protected Storage
= "RUNDLL32.EXE MSSIGN30.DLL ondll_reg"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\runServices\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\runServices\SystemTra
= "C:\\WINDOWS\\SysTra.EXE"

HKU\Software\Microsoft\Windows NT\CurrentVersion\Windows\run
= "RAVMOND.exe"

HKCR\exefile\shell\open\command
= C:\WINDOWS\System\winexe.exe

W32/Lovgate-X may change the win.ini file by adding path to the 
Ravmond.exe to the 'run=' line.

W32/Lovgate-X attempts to terminate a number of processes with names 
that contains a string chosen from the following list:
KV
KAV
Duba
NAV
kill
RavMon.exe
Rfw.exe
Gate
McAfee
Symantec
SkyNet
rising

W32/Lovgate-X copies itself to the share folders of filesharing networks 
with one of the following filenames:
Are you looking for Love.doc.exe
autoexec.bat
The world of lovers.txt.exe
How To Hack Websites.exe
Panda Titanium Crack.zip.exe
Mafia Trainer!!!.exe
100 free essays school.pif
AN-YOU-SUCK-IT.txt.pif
Sex_For_You_Life.JPG.pif
CloneCD + crack.exe
Age of empires 2 crack.exe
MoviezChannelsInstaler.exe
Star Wars II Movie Full Downloader.exe
Winrar + crack.exe
SIMS FullDownloader.zip.exe
MSN Password Hacker and Stealer.exe

W32/Lovgate-X copies itself to the share folder of the KaZaa network 
with one of the following filenames:
wrar320sc
REALONE
BlackIcePCPSetup_creak
Passware5.3
word_pass_creak
HEROSOFT
orcard_original_creak
rainbowcrack-1.1-win
W32Dasm
setup
<any name>

follwed by .bat, .exe, .pif or .scr





Name   W32/Forbot-C

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Allows others to access the computer
    * Reduces system security
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Aliases  
    * Backdoor.Win32.Wootbot.c
    * W32/Sdbot.worm.gen.h

Prevalence (1-5) 2

Description
W32/Forbot-C is a worm which attempts to spread to remote network shares. 
The worm also contains backdoor Trojan functionality, allowing 
unauthorised remote access to the infected computer via IRC channels 
while running in the background as a service process.

Advanced
W32/Forbot-C is a worm which attempts to spread to remote network shares. 
The worm also contains backdoor Trojan functionality, allowing 
unauthorised remote access to the infected computer via IRC channels 
while running in the background as a service process.

W32/Forbot-C moves itself to the Windows system folder as winitr32.exe 
andcreates the following registry entries to run itself on system logon:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Win32 Wmls Driver = winitr32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Win32 Wmls Driver = winitr32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Win32 Wmls Driver = winitr32.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Win32 Wmls Driver = winitr32.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Win32 Wmls Driver = winitr32.exe

W32/Forbot-C attempts to spread to network machines using various 
exploits including the LSASS vulnerability (please see MS04-011).

W32/Forbot-C attempts to terminate several processes related to 
anti-virus and security related software.





Name   W32/Myfip-A

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Steals information
    * Reduces system security
    * Installs itself in the Registry

Aliases  
    * W32/Myfip.worm

Prevalence (1-5) 2

Description
W32/Myfip-A is a worm that spreads via poorly-protected network shares.

W32/Myfip-A uploads the contents of selected files to a remote machine.

Advanced
W32/Myfip-A is a worm that spreads using network shares that are either 
unprotected or protected only by weak passwords.

The worm copies itself to the file kernel32dll.exe in the Windows system 
folder on the local machine. Copies on network shares can be called 
worm.txt.exe or dfsvc.exe.

W32/Myfip-A may also create files named temp.exe (also detected as 
W32/Myfip-A) and temp.txt (harmless).

The worm attempts to register itself as a service process with the 
ServiceName and DisplayName "Distributed Link Tracking Extensions".

W32/Myfip-A creates the following registry entry:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Distributed File System = "kernel32dll.exe"

W32/Myfip-A builds a list of all filenames whose extension is one of 
PDF, DOC, DWG, SCH, PCB, DWT, DWF and MAX and whose path does not 
contain any of the following strings:

Winnt
Windows
I386
Program Files
All Users
Recycler
System Volume Information
Inetpub
Documents and Settings
Wutemp
My Music

The worm then sends the contents of each file to a preconfigured IP 
address.





Name   W32/Forbot-W

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Reduces system security
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
W32/Forbot-W is a worm which attempts to spread to remote network shares. 
It also contains backdoor Trojan functionality, allowing unauthorised 
remote access to the infected computer via IRC channels while running in 
the background as a service process.

Advanced
W32/Forbot-W is a worm which attempts to spread to remote network shares. 
It also contains backdoor Trojan functionality, allowing unauthorised 
remote access to the infected computer via IRC channels while running in 
the background as a service process.

W32/Forbot-W copies itself to the Windows system folder as WINXPINIT.EXE 
and creates entries in the registry at the following locations so as to 
run itself on system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Win32 USB2 Driver
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\Win32 USB2 Driver
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32 USB2 
Driver
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Win32 USB2 Driver
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\Win32 USB2 Driver

W32/Forbot-W also creates its own service named "LOL", with the display 
name "Win32 USB2 Driver".





Name   W32/Forbot-V

Type  
    * Worm

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Steals information
    * Downloads code from the internet
    * Reduces system security
    * Installs itself in the Registry

Aliases  
    * Backdoor.Win32.Wootbot.gen

Prevalence (1-5) 2

Description
W32/Forbot-V is a network worm with IRC backdoor functionality.

W32/Forbot-V attempts to spread by exploiting the LSASS (MS04-011) 
vulnerability.

A machine infected by W32/Forbot-V can be remotely controlled by an 
attacker using IRC channels.

Advanced
W32/Forbot-V is a network worm with IRC backdoor functionality.

In order to run automatically when Windows starts up the worm copies 
itself to the file wuaucls.exe in the Windows system folder.

Once installed, W32/Forbot-V connects to a preconfigured IRC server, 
joins a channel and awaits further instructions. These instructions can 
cause the bot to perform any of the following actions:

start a SOCKS4, SOCKS5 or HTTP proxy server
start a TCP redirection server
start an FTP server
download and install an updated version of itself
scan IP addresses for infectable machines
show statistics about the infected system
secure the infected machine against further infection
search for product keys
send files via DCC

W32/Forbot-V attempts to spread to other machines affected by the LSASS 
vulnerability (MS04-011) or infected by one of the Troj/Optix backdoors.

The worm creates the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Security Control = "wuaucls.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Windows Security Control = "wuaucls.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Windows Security Control = "wuaucls.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Security Control = "wuaucls.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Windows Security Control = "wuaucls.exe"

W32/Forbot-V searches for product keys for the following software:

Battlefield 1942: Secret Weapons of WWII
Battlefield 1942: The Road to Rome
Battlefield 1942: Vietnam
Black and White
Command and Conquer: Generals
Command and Conquer: Generals: Zero Hour
Command and Conquer: Red Alert 2
Command and Conquer: Tiberian Sun
Counter-Strike
FIFA 2002
FIFA 2003
Freedom Force
Global Operations
Gunman Chronicles
Half-Life
Hidden and Dangerous 2
IGI2: Covert Strike
Industry Giant 2
James Bond 007: Nightfire
Medal of Honor: Allied Assault
Medal of Honor: Allied Assault: Breakthrough
Medal of Honor: Allied Assault: Spearhead
Nascar Racing 2002
Nascar Racing 2003
NHL 2002
NHL 2003
Need for Speed: Underground
Neverwinter Nights
Ravenshield
Shogun: Total War: Warlord Edition
Soldiers of Anarchy
Soldier of Fortune 2
The Gladiators
Unreal Tournament 2003
Unreal Tournament 2004





Name   W32/Bagle-AM

Type  
    * Worm

How it spreads  
    * Email attachments
    * Peer-to-peer

Affected operating systems  
    * Windows

Side effects  
    * Sends itself to email addresses found on the infected computer
    * Forges the sender's email address
    * Uses its own emailing engine

Prevalence (1-5) 2

Description
W32/Bagle-AM is a member of the W32/Bagle family of worms.

Advanced
W32/Bagle-AM is a member of the W32/Bagle family of worms. When run the 
worm copies itself to the Windows system folder as windll.exe to any 
folder with the substring 'shar' in its name as the following filenames:

Microsoft Office 2003 Crack, Working!.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Microsoft Office XP working Crack, Keygen.exe
Porno, sex, oral, anal cool, awesome!!.exe
Porno Screensaver.scr
Serials.txt.exe
KAV 5.0
Kaspersky Antivirus 5.0
Porno pics arhive, xxx.exe
Windows Sourcecode update.doc.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe

The following registry entry is created:

HKCU\Software\Microsoft\Windows\CurrentVersion\Ru1n
erthgdr = %SYSTEM%\windll.exe

W32/Bagle-AM scans all fixed drives recursively for WAB, TXT, MSG, HTM, 
SHTM, STM, XML, DBX, MBX, MDX, EML, NCH, MMF, ODS, CFG, ASP, PHP, PL, 
WSH, ADB, TBB, SHT, XLS, OFT, UIN, CGI, MHT, DHTM and JSP files, 
extracts email addresses from them and uses those addresses for the mass 
mailing component of the worm.

The worm will email copies of a modified version of itself detected by 
Sophos as W32/Bagle-AQ.





Name   W32/MyDoom-X

Type  
    * Worm

How it spreads  
    * Email messages
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Sends itself to email addresses found on the infected computer
    * Drops more malware
    * Forges the sender's email address
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
W32/MyDoom-X is a worm for the Windows platform.

Advanced
W32/MyDoom-X is a worm for the Windows platform.

W32/MyDoom-X is a mass mailer that also spreads by coping itself to the 
available shared folders.

W32/MyDoom-X spoofs the sender address on email sent by the worm.

It will use a sender name that is constructed from the predefined lists 
with an email address that corresponds with the used last name or a 
random part of one of those names with 1 or more random characters 
appended, at one of the following domains:

cox.net
yahoo.com
msn.com
yahoo.co.uk
t-online.de
gmx.net
hotmail.com
aol.com
mail.com
dailymail.co.uk

W32/MyDoom-X will attempt to avoid sending itself to email addresses 
containing any of the following strings:

'icrosof'
'borlan'
'inpris'
'example'
'mydomai'
'nodomai'
'ruslis'
'berkeley'
'ibm.com'
'kernel'
'usenet'
'rfc-ed'
'sendmail'
'acketst'
'tanford.e'
'utgers.ed'
'mozilla'
'be_loyal:'
'samples'
'postmaster'
'webmaster'
'nobody'
'nothing'
'anyone'
'someone'
'rating'
'contact'
'somebody'
'privacy'
'service'
'submit'
'gold-certs'
'the.bat'
'microsoft'
'support'
'listserv'
'certific'
'google'
'account'

The worm obtains email addresses to send itself to from files on the 
local hard disk.

W32/MyDoom-X copies itself to the Windows folder with the filename 
oz2.exe and to the Windows system folder with the filename oz11111.exe 
and sets the registry entries correspondingly:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\oz2
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\www.symantec.com

W32/MyDoom-X also creates the following files in the Windows system 
folder

\<Windows>\<system>\About_Mydoom.txt
\<Windows>\<system>\Doompic.jpg
\<Windows>\<system>\Downxz.bat
\<Windows>\<system>\log32zx.exe
\<Temp>\services.exe

where text file contains the worm info, downxz.bat is a variant of the 
downloader Trojan detected by the Troj/Delf-FE, log32xz.bat is a Yahoo 
key logger detected as Troj/Keylog-AA and services.exe is detected by 
the W32/MyDoom-O worm.

In order to run them automatically when Windows starts up W32/MyDoom-X 
creates the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Downxz
with the path to the downxz.bat

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows 
updaterD

with the path to the log32zx.exe


HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Services

with the path to the services.exe

W32/MyDoom-X checks for an internet connection and if www.symantec.com 
host is available it initiates a DDOS attack starting on 29 September 
2004 at 2.00.25pm until 29 October 2004 2.00.25pm.

 
--- MultiMail/Win32 v0.43
 * Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)