Text 201, 820 rader
Skriven 2007-08-11 16:22:00 av KURT WISMER
Ärende: News, August 11 2007
============================
[cut-n-paste from sophos.com]
Name Troj/IRCBot-XD
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Records keystrokes
* Installs itself in the Registry
Aliases
* Backdoor.Win32.IRCBot.acd
* BKDR_IRCBOT.AIH
Prevalence (1-5) 2
Description
Troj/IRCBot-XD is a Trojan for the Windows platform.
Advanced
Troj/IRCBot-XD is a Trojan for the Windows platform.
When first run Troj/IRCBot-XD copies itself to <System>\libcinet.exe
and creates the file <System>\libwinets.dll. This file is also detected
as Troj/IRCBot-XD. The Trojan also creates the file egos.txt, where
information taken from the clipboard and from the keylogging component
is stored. This file may be safely deleted.
The following registry entry is created to run code exported by a
random CLSID linked to the file libwinets.dll on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoa
d
printers
<random CLSID>
The file libwinets.dll is registered as a COM object, creating registry
entries under:
HKCR\CLSID\<random CLSID>
Name W32/SillyFDC-AQ
Type
* Worm
How it spreads
* Removable storage devices
Affected operating systems
* Windows
Prevalence (1-5) 2
Description
W32/SillyFDC-AQ is a worm for the Windows platform.
Advanced
W32/SillyFDC-AQ is a worm for the Windows platform.
When run W32/SillyFDC-AQ copies itself to <Startup>\systemnt.exe and
<System>\mslogon.exe.
W32/SillyFDC-AQ spreads via removable shared drives, copying itself to
<Root>\Toy.exe as a hidden, system file and creating the file
<Root>\autorun.inf so that the worm runs when the removable media is
plugged into an uninfected computer. The file <Root>\autorun.inf is
also detected as W32/SillyFDC-AQ.
Name Troj/Banker-EIK
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
* Downloads code from the internet
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/Banker-EIK is a Trojan for the Windows platform.
Advanced
Troj/Banker-EIK is a Trojan for the Windows platform.
The Trojan includes functionality to download, install and run new
software.
When first installed, Troj/Banker-EIK copies itself to
<Startup>\Wapp.exe and sets the following registry entry:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Wapp
<path of Trojan executable>
Name W32/Delf-EXO
Type
* Spyware Worm
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Records keystrokes
* Installs itself in the Registry
* Installs a browser helper object
Aliases
* Trojan-Spy.Win32.Delf.uy
Prevalence (1-5) 2
Description
W32/Delf-EXO is a worm for the Windows platform
Advanced
W32/Delf-EXO is a worm for the Windows platform.
When first run W32/Delf-EXO copies itself to the following location :
<System>\SysInfo.dll.
Upon installation W32/Delf-EXO modifies the file autorun.inf and
injects itself into the system process to enable autorun with
rundll32.exe. The worm spreads with the filename SysInfo2.dll to any
available storage devices using the file autorun.inf.
The worm creates a number of monitoring processes and inserts itself
into explorer.exe and winlogon.exe processes.
SysInfo.DLL is also ergistered as a COM object , creating registry
entries under:
HKCR\CLSID\{989D2FEB-5411-4565-8988-1DD2C5263377}
Name W32/Looked-DR
Type
* Virus
How it spreads
* Network shares
* Infected files
Affected operating systems
* Windows
Side effects
* Modifies data on the computer
* Drops more malware
* Downloads code from the internet
* Reduces system security
* Leaves non-infected files on computer
Prevalence (1-5) 2
Description
W32/Looked-DR is a virus and network worm for the Windows platform.
Advanced
W32/Looked-DR is a virus and network worm for the Windows platform.
W32/Looked-DR infects files found on the local computer. W32/Looked-DR
also copies itself to remote network shares and may infect files found
on those shares.
W32/Looked-DR includes functionality to access the internet and
communicate with a remote server via HTTP. W32/Looked-DR may attempt to
download and execute additional files from a remote location.
When W32/Looked-DR is installed the following files are created:
<Windows>\Logo1_.exe
<Windows>\uninstall\rundl132.exe
The files Logo1_.exe and rundl132.exe are detected as Mal/Behav-085.
The following registry entry is created to run rundl132.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
load
<Windows>\uninstall\rundl132.exe
W32/Looked-DR may also create many files with the name "_desktop.ini"
in various folders on the infected computer. These files are harmless
text files and can be deleted.
Name W32/Fujacks-AP
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Trojan-Downloader.Win32.Agent.cac
Prevalence (1-5) 2
Description
W32/Fujacks-AP is a worm for the Windows platform.
W32/Fujacks-AP runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer.
W32/Fujacks-AP includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
W32/Fujacks-AP is a worm for the Windows platform.
W32/Fujacks-AP runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer.
W32/Fujacks-AP includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run W32/Fujacks-AP copies itself to <System>\ntsokele.exe.
W32/Fujacks-AP appends an HTML Iframe tag to HTML and ASP files. These
modified files are detected as Troj/Fujif-Fam.
The file ntsokele.exe is registered as a new system driver service
named "Rasautol", with a display name of "Remote Help Session Manager"
and a startup type of automatic, so that it is started automatically
during system startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\Rasautol
Name W32/Stratio-E
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Sends itself to email addresses found on the infected computer
* Forges the sender's email address
* Uses its own emailing engine
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Win32/Stration.XJ worm
Prevalence (1-5) 2
Description
W32/Stratio-E is a worm for the Windows platform.
W32/Stratio-E spreads by sending emails with itself as an attachment.
Advanced
W32/Stratio-E is a worm for the Windows platform.
W32/Stratio-E spreads by sending emails with itself as an attachment.
W32/Stratio-E includes functionality to access the internet and
communicate with a remote server via HTTP.
When W32/Stratio-E is installed the following files are created:
<System>\consmsls.dll
<System>\dispregs.dll
<System>\icmuwmau.dat
<System>\icmuwmau.dll
<System>\icmuwmau.exe
<System>\vvrtusrf.exe
The files consmsls.dll, dispregs.dll, icmuwmau.dll and vvrtusrf.exe are
detected as W32/Strati-Gen. The file icmuwmau.dat is harmless and can
be deleted
The following registry entries are created to run code exported by
icmuwmau.dll on startup:
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\icmuwmau
DllName
<System>\icmuwmau.dll
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\icmuwmau
Startup
WlxStartupEvent
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\icmuwmau
Impersonate
0
Name W32/SillyFDC-AR
Type
* Worm
How it spreads
* Removable storage devices
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/SillyFDC-AR is a worm for the Windows platform.
Advanced
W32/SillyFDC-AR is a worm for the Windows platform.
W32/SillyFDC-AR spreads via removable shared drives, copying itself to
<Root>\<original worm filename> and creating the file
<Root>\autorun.inf that will run the file when the removable media is
plugged into an uninfected computer.
W32/SillyFDC-AR sets the following registry entry to run itself on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
rising
<System>\<original worm filename>
W32/SillyFDC-AR also copies itself to
<Root>\<original worm filename>
<System>\<original worm filename>
and creates the file <Root>\autorun.inf. The file <Root>\Autorun.inf
can be safely removed.
Name Troj/PWS-AOF
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
* Downloads code from the internet
* Installs itself in the Registry
* Installs a browser helper object
Prevalence (1-5) 2
Description
Troj/PWS-AOF is a Trojan for the Windows platform.
Advanced
Troj/PWS-AOF is a Trojan for the Windows platform.
Troj/PWS-AOF includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run Troj/PWS-AOF copies itself to <Program Files>\Internet
Explorer\rksldk.bak and creates the following files:
<Common Files>\goskdl.dll
<Program Files>\Internet Explorer\rksldk.dll
The files goskdl.dll and rksldk.dll are registered as COM objects,
creating registry entries under:
HKCR\CLSID\(5C7596CB-51CC-5BA3-BE52-6EEA62F9C51C)
HKCR\CLSID\(C1626E66-C26B-C628-E1DF-CDACCFA26EE1)
HKCR\CLSID\(DC7596CB-D6CC-DCA3-DE52-DEEA63F6C61D)
The file rksldk.dll is registered as a shell extension, creating
registry entries under:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
\
(DC7596CB-D6CC-DCA3-DE52-DEEA63F6C61D)
The file goskdl.dll is registered as a Browser Helper Object (BHO) for
Microsoft Internet Explorer, creating registry entries under:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
Objects\
(C1626E66-C26B-C628-E1DF-CDACCFA26EE1)
The following registry entry is set:
HKCR\*\shellex\ContextMenuHandlers\ReliveHookDLL
(default)
(5C7596CB-51CC-5BA3-BE52-6EEA62F9C51)
Name W32/IRCBot-XF
Type
* Spyware Worm
How it spreads
* Chat programs
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/IRCBot-XF is a worm for the Windows platform.
Advanced
W32/IRCBot-XF is a worm for the Windows platform.
W32/IRCBot-XF contains functionality to spread via MSN Messenger.
W32/IRCBot-XF runs continuously in the background, providing a backdoor
server which allows a remote intruder to gain access and control over
the computer via IRC channels.
W32/IRCBot-XF is installed the following files are created:
<User>\new.txt - May be safely deleted.
<Windows>\pictures07-01.zip - Also detected as W32/IRCBot-XF.
<System>\systesrt32.dll - Also detected as W32/IRCBot-XF.
The file systesrt32.dll is registered as a COM object, creating
registry entries under:
HKCR\CLSID\{478DFE97-ED1E-47E4-8BFC-8F09F9F89812
The following registry entry is created to run systesrt32.dll on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoa
d
syshelps
{478DFE97-ED1E-47E4-8BFC-8F09F9F89812}
Name Troj/MDrop-BPQ
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Drops more malware
Prevalence (1-5) 2
Description
Troj/MDrop-BPQ is a Trojan for the Windows platform.
Advanced
Troj/MDrop-BPQ is a Trojan for the Windows platform.
When Troj/MDrop-BPQ is installed the following files are created:
<Windows>\ichan.txt
<Windows>\inv.txt
<Windows>\libparse.exe
<Windows>\login.txt
<Windows>\mcop.dll
<Windows>\os32.txt
<Windows>\ping.exe
<Windows>\pnp11.exe
<Windows>\psexec.exe
<Windows>\r.ini
<Windows>\reader.w
<Windows>\stde9.exe
<Windows>\tskdbg.exe
<Windows>\vlxd.bat
<Windows>\x89.reg
The file ping.exe is detected as Troj/Soldier-A and the file stde9.exe
is detected as Troj/ZDown-A.
The following registry entry is created to run tskdbg.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WinXPService
<Windows>\Tskdbg.exe
The following registry entries are set or modified, so that tskdbg.exe
is run when files with extensions of CHA and IRC are opened or launched:
HKCR\ChatFile\Shell\open\command
(default)
<Windows>\tskdbg.exe
HKCR\irc\Shell\open\command
(default)
<Windows>\tskdbg.exe
Registry entries are set as follows:
HKCR\ChatFile\DefaultIcon
(default)
<Windows>\tskdbg.exe
HKCR\irc\DefaultIcon
(default)
<Windows>\tskdbg.exe
Registry entries are created under:
HKCU\Software\Microsoft\Microsoft Agent
HKCU\Software\mIRC\DateUsed
HKCR\irc
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mIRC
Name W32/IRCBot-XG
Type
* Worm
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
Aliases
* Backdoor.Win32.IRCBot.acd
* W32/IRCbot.worm.gen
Prevalence (1-5) 2
Description
W32/IRCBot-XG is a worm for the Windows platform.
Advanced
W32/IRCBot-XG is a worm for the Windows platform.
W32/IRCBot-XG includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run W32/IRCBot-XG copies itself to <System>\msninet.exe and
creates the following files:
<User>\aria.txt
<System>\libmsns.dll
The following registry entry is created to run code exported by
{BED56B71-F844-4A27-82A5-56AF62D49FF4} on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoa
d
printers
{BED56B71-F844-4A27-82A5-56AF62D49FF4}
The file libmsns.dll is registered as a COM object, creating registry
entries under:
HKCR\CLSID\{BED56B71-F844-4A27-82A5-56AF62D49FF4}
Name Troj/Delf-EXQ
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Downloads code from the internet
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/Delf-EXQ is a Trojan for the Windows platform.
Advanced
Troj/Delf-EXQ is a Trojan for the Windows platform.
When run Troj/Delf-EXQ copies itself to <User>\Favorites\netservice.exe.
Troj/Delf-EXQ then registers itself as a system service with a display
name of "DDMP" and a service name of "netservice" and a startup type of
automatic. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETSERVICE\
HKLM\SYSTEM\CurrentControlSet\Services\netservice\
Name Troj/Vacdo-A
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Aliases
* W32/Downldr2.APXC
* PWS-Banker.dldr
* Trojan-Downloader.Win32.Banload.zg
Prevalence (1-5) 2
Description
Troj/Vacdo-A is a Trojan for the Windows platform.
Advanced
Troj/Vacdo-A is a Trojan for the Windows platform.
Troj/Vacdo-A attempts to download and execute files from a remote
website to the following following locations:
<Windows>\svchosts.dll
<System>\imglong.pif
<Windows>\bsyys.scr
The file svchosts.dll is currently detected as Mal/Behav-053. The file
imglong.pif is then moved to imglong.exe, and is currently detected as
Mal/DelpBanc-A. The file bsyys.scr is currently detected as
W32/Vacill-A, which has been seen to send messages via instant
messanging that contain links to a file detected as Troj/Vacdo-A.
Name W32/Sdbot-DGR
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* W32/Backdoor.BENC
* Backdoor.Win32.SdBot.bgc
Prevalence (1-5) 2
Description
W32/Sdbot-DGR is a network worm for the Windows platform.
Advanced
W32/Sdbot-DGR is a network worm for the Windows platform.
W32/Sdbot-DGR includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run W32/Sdbot-DGR copies itself to:
<Windows>\hkcmd.exe
<Program Files>\KaZaA\My Shared Folder\
The file hkcmd.exe is registered as a new system driver service named
"Intel multimedia devices", with a display name of "Intel multimedia
devices" and a startup type of automatic, so that it is started
automatically during system startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\Intel multimedia devices
The following registry entries are set, disabling system software:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
W32/Sdbot-DGR sets the following registry entries, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4
Registry entries are set as follows:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SFCScan
0
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall
0
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall
0
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SFCDisable
ffffff9d
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe %WINDIR%\hkcmd.exe
Registry entries are created under:
HKLM\SOFTWARE\Microsoft\Security Center
HKLM\SOFTWARE\Symantec\LiveUpdate Admin
--- MultiMail/Win32 v0.43
* Origin: Doc's Place BBS Fido Since 1991 docsplace.tzo.com (1:123/140)
|