Text 38, 1724 rader
Skriven 2005-04-23 14:10:00 av KURT WISMER (1:123/140)
Ärende: News, April 23 2005
===========================
[cut-n-paste from sophos.com]
Name Troj/CashGrab-B
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Steals credit card details
* Allows others to access the computer
* Deletes files off the computer
* Steals information
* Drops more malware
* Downloads code from the internet
Aliases
* Trojan-Dropper.Win32.Agent.hp
* Trojan.Win32.Agent.cc
Prevalence (1-5) 2
Description
Troj/CashGrab-B is a password-stealing Trojan aimed at customers of
banking websites.
Troj/CashGrab-B will spy on a user's browsing habits for banking URLS.
The Trojan will then attempt to steal login information.
Troj/CashGrab-B will connect to a remote site to download further files
and data.
Advanced
Troj/CashGrab-B is a password-stealing Trojan aimed at customers of
banking websites.
Troj/CashGrab-B will spy on a user's browsing habits for banking URLS.
The Trojan will then attempt to steal login information.
Troj/CashGrab-B will connect to a remote site to download further files
and data.
When first run, Troj/CashGrab-B will drop the following files:
BOB.CMD - DOS batch file, used to delete Trojan installation files
<Windows system folder>\IA.DATA - Text file containing data
<Windows system folder>\WINDOWS.IDN - Text file containing data
<Windows system folder>\IA.DLL - Troj/CashGrab-B
<Windows system folder>\IAINST.EXE - Troj/CashGrab-B
In order to run automatically each time Internet Explorer starts,
Troj/CashGrab-B will install IA.DLL as a Browser Helper Object. The
following registry branches will be created:
HKCR\CLSID\{3A4E6FF3-BF59-446E-9DC8-731BCE2F349A}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
Objects\{3A4E6FF3-BF59-446E-9DC8-731BCE2F349A}
HKCR\IA.IEHelperOP
In particular, the following registry entry will be created:
HKCR\CLSID\{3A4E6FF3-BF59-446E-9DC8-731BCE2F349A}\InprocServer32
(default)
<Windows system folder>\IA.dll
Name W32/LegMir-AD
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Modifies data on the computer
* Steals information
* Drops more malware
* Uses its own emailing engine
* Installs itself in the Registry
Aliases
* Trojan.Win32.VB.kj
* TROJ_LEGMIR.B
Prevalence (1-5) 2
Description
W32/LegMir-AD is a network worm with password stealing functionality.
W32/LegMir-AD tries to copy itself to all logical drives connected to
the computer as folder.exe.
W32/LegMir-AD steals password information and emails it to a
preconfigured email address.
The worm may also create a keylogger DLL that is detected by Sophos as
Troj/Legmir-E.
Advanced
W32/LegMir-AD is a network worm with password stealing functionality.
W32/LegMir-AD copies itself to:
\folder.exe
%WINDOWS%\~aTNr.exe
%WINDOWS%\cih.exe
%WINDOWS%\hh.exe
%WINDOWS%\intrenat.exe
%WINDOWS%\notepad.exe
%WINDOWS%\winhlp32.exe
%SYSTEM%\cih.exe
%SYSTEM%\lc_res.exe
%SYSTEM%\Winsocks.dll
The files notepad.exe and hh.exe are first copied to the files Note.dll
and hh.dll respectively before they are overwritten with a copy of the
worm.
W32/LegMir-AD tries to copy itself to all logical drives connected to
the computer as folder.exe.
W32/LegMir-AD creates the following registry entries to ensure it is run
at system logon:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Intrenat
%WINDOWS%\intrenat.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Intrenat
%WINDOWS%\intrenat.exe
W32/LegMir-AD creates the file AUTORUN.INF in the root folder which can
be deleted.
W32/LegMir-AD steals password information and emails it to a
preconfigured email address.
The worm may also create a keylogger DLL that is detected by Sophos as
Troj/Legmir-E.
Name Troj/CashGrab-A
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Deletes files off the computer
* Steals information
* Drops more malware
* Downloads code from the internet
* Reduces system security
Aliases
* Trojan.Win32.Agent.cw
* PWS-Cashgrabber
* TROJ_AGENT.DLA
Prevalence (1-5) 2
Description
Troj/CashGrab-A is a password-stealing Trojan aimed at customers of
banking websites.
Troj/CashGrab-A will spy on a user's browsing habits for banking URLS.
The Trojan will then attempt to steal login information.
Troj/CashGrab-A will connect to a remote site to download further files
and data.
Advanced
Troj/CashGrab-A is a password-stealing Trojan aimed at customers of
banking websites.
Troj/CashGrab-A will spy on a user's browsing habits for banking URLS.
The Trojan will then attempt to steal login information.
Troj/CashGrab-A will connect to a remote site to download further files
and data.
When first run, Troj/CashGrab-A will drop the following files:
UPDATE.SYS - Text file containing a URL
SETUP.CMD - DOS batch file, used to delete Trojan installation files
%SYSTEM%\WINDOWS.IDN - Text file containing data
%SYSTEM%\WINST.MSI - Text file containing a URL
%SYSTEM%\MSUPDATE.DLL - Troj/CashGrab-A
%SYSTEM%\WINSETUP.EXE - Troj/CashGrab-A
In order to run automatically each time Internet Explorer starts,
Troj/CashGrab-A will install MSUPDATE.DLL as a Browser Helper Object.
The following registry branches will be created:
HKCR\CLSID\(3A4E6FF3-BF59-446E-9DC8-731BCE2F349A)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
Objects\(3A4E6FF3-BF59-446E-9DC8-731BCE2F349A)
HKCR\msupdate.IEHelperOP
In particular, the following registry entry will be created:
HKCR\CLSID\(3A4E6FF3-BF59-446E-9DC8-731BCE2F349A)\InprocServer32
(default)
%SYSTEM%\msupdate.dll
Name Troj/Kelvir-R
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Steals information
* Reduces system security
Aliases
* IM-Worm.Win32.Prex.d
Prevalence (1-5) 2
Description
Troj/Kelvir-R is a Trojan for the Windows platform.
The Trojan monitors the status of MSN Messenger contacts and sends the
following text to all online contacts:
hey
its you!
http://<domain>/friends/pictures.php?email=<recipient's email address>
Name Troj/Dloader-MN
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Aliases
* Downloader-YS
Prevalence (1-5) 2
Description
Troj/Dloader-MN is a downloader Trojan for the Windows platform.
The Trojan injects code to Internet Explorer, which attempts to download
a file from a predefined website in the background and run it.
Name W32/Mytob-AG
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Sends itself to email addresses found on the infected computer
* Forges the sender's email address
* Uses its own emailing engine
Aliases
* Net-Worm.Win32.Mytob.af
* WORM_MYTOB.CA
Prevalence (1-5) 2
Description
W32/Mytob-AG is a mass-mailing network worm with IRC backdoor
functionality.
W32/Mytob-AG connects to a preconfigured IRC server and joins a channel
in which it can await further instructions.
W32/Mytob-AG attempts to spread to randomly-chosen IP addresses by
exploiting the LSASS vulnerability (MS04-011). The patch for this
vulnerability can be obtained from the Microsoft website:
MS04-011.
Advanced
W32/Mytob-AG is a mass-mailing network worm with IRC backdoor
functionality.
W32/Mytob-AG copies itself to the file w32NTupdt.exe in the Windows
system folder and creates the following registry entries in order to run
at logon:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
A New Windows Updater
w32NTupdt.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
A New Windows Updater
w32NTupdt.exe
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
A New Windows Updater
w32NTupdt.exe
HKLM\Software\Microsoft\OLE
A New Windows Updater
w32NTupdt.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
A New Windows Updater
w32NTupdt.exe
HKCU\SYSTEM\CurrentControlSet\Control\Lsa
A New Windows Updater
w32NTupdt.exe
HKCU\Software\Microsoft\OLE
A New Windows Updater
w32NTupdt.exe
Emails sent by W32/Mytob-AG will have the following characteristics:
Subject: one of
Good day
hello
Mail Delivery System
Mail Transaction Failed
Server Report
Status
Error
<random text>
Body: one of
Here are your banks documents.
The message cannot be represented in 7-bit ASCII encoding and has been
sent as a binary attachment. The original message was included as an
attachment.
The message contains Unicode characters and has been sent as a binary
attachment.
Mail transaction failed. Partial message is available.
Attachment name: one of
document
readme
doc
text
file
data
test
message
body
<random text>
Attachment extension: one of
pif
scr
exe
cmd
bat
The attached file may have a double extension.
W32/Mytob-AG connects to a preconfigured IRC server and joins a channel
in which it can await further instructions.
W32/Mytob-AG attempts to spread to randomly-chosen IP addresses by
exploiting the LSASS vulnerability (MS04-011). The patch for this
vulnerability can be obtained from the Microsoft website:
MS04-011.
Name W32/Nopir-B
Type
* Worm
How it spreads
* Peer-to-peer
Affected operating systems
* Windows
Side effects
* Deletes files off the computer
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Nopir-B is a worm for the Windows platform.
W32/Nopir-B will display an anti-piracy image on the screen when run.
The worm will then delete all COM and MP3 files from the computer. The
worm will also disable taskmanager, registry tools, and access to the
control panel. W32/Nopir-B will also check for debuggers and may attempt
to disable any such software that it finds.
W32/Nopir-B copies itself to <Program Files>\Projects Visual
Studio.NET\Nctrup.exe, <Program Files>\Restore\<random name>.exe,
<Program Files>\eMule\Incoming\AnyDVD 5.1.0.1 Crack+Keygen By Razor.exe.
Advanced
W32/Nopir-B is a worm for the Windows platform.
W32/Nopir-B will display an anti-piracy image on the screen when run, as
seen here:
The image displayed by the Nopir-B worm
The image displayed by the Nopir-B worm.
The worm will then delete all COM and MP3 files from the computer. The
worm will also disable taskmanager, registry tools, and access to the
control panel. W32/Nopir-B will also check for debuggers and may attempt
to disable any such software that it finds.
W32/Nopir-B copies itself to <Program Files>\Projects Visual
Studio.NET\Nctrup.exe, <Program Files>\Restore\<random name>.exe,
<Program Files>\eMule\Incoming\AnyDVD 5.1.0.1 Crack+Keygen By Razor.exe.
W32/Nopir-B will create the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Verif
<Program Files>\Restore\<random name>.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
securw
<Program Files>\Projects Visual Studio.NET\Nctrup.exe
HKCR\exefile\Shell\open\command
<Program Files>\Projects Visual Studio.NET\Nctrup.exe
HKCR\batfile\Shell\open\command
<Program Files>\Projects Visual Studio.NET\Nctrup.exe
HKCR\comfile\Shell\open\command
<Program Files>\Projects Visual Studio.NET\Nctrup.exe
HKCR\scrfile\Shell\open\command
<Program Files>\Projects Visual Studio.NET\Nctrup.exe
HKCR\piffile\Shell\open\command
<Program Files>\Projects Visual Studio.NET\Nctrup.exe
HKCR\vbsfile\Shell\open\command
<Program Files>\Projects Visual Studio.NET\Nctrup.exe
HKCR\vbefile\Shell\open\command
<Program Files>\Projects Visual Studio.NET\Nctrup.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoControlPanel
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
Name W32/Rbot-AAY
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Modifies passwords
* Records keystrokes
Prevalence (1-5) 2
Description
W32/Rbot-AAY is an IRC backdoor Trojan and network worm.
W32/Rbot-AAY may spread to remote network shares protected by weak
passwords and computers vulnerable to common exploits. The worm also
opens up a backdoor, allowing unauthorised remote access to infected
computers via the IRC network, while running in the background as a
service process.
The following patches for the operating system vulnerabilities exploited
by W32/Rbot-AAY can be obtained from the Microsoft website:
MS04-012
MS04-011
MS03-049
W32/Rbot-AAY can receive commands from a remote intruder to delete
network shares, log keypresses, participate in DDoS attacks, scan other
computers for vulnerabilities, steal passwords, steal registration keys
for computer games, create administrator accounts, terminate firewall
and anti-virus processes and capture video from webcameras attached to
the computer.
Advanced
W32/Rbot-AAY is an IRC backdoor Trojan and network worm.
W32/Rbot-AAY may spread to remote network shares protected by weak
passwords and computers vulnerable to common exploits. The worm also
opens up a backdoor, allowing unauthorised remote access to infected
computers via the IRC network, while running in the background as a
service process.
The following patches for the operating system vulnerabilities exploited
by W32/Rbot-AAY can be obtained from the Microsoft website:
MS04-012
MS04-011
MS03-049
W32/Rbot-AAY can receive commands from a remote intruder to delete
network shares, log keypresses, participate in DDoS attacks, scan other
computers for vulnerabilities, steal passwords, steal registration keys
for computer games, create administrator accounts, terminate firewall
and anti-virus processes and capture video from webcameras attached to
the computer.
W32/Rbot-AAY copies itself to the Windows system folder as "msaol32.exe"
and creates the following registry entries in order to run automatically
on computer login:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft AOL Instant Messenger
MSAOL32.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Microsoft AOL Instant Messenger
MSAOL32.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft AOL Instant Messenger
MSAOL32.exe
Name W32/Sdbot-XH
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Steals information
* Drops more malware
* Downloads code from the internet
* Reduces system security
Aliases
* WORM_SDBOT.BHU
* W32.Spybot.Worm
Prevalence (1-5) 2
Description
W32/Sdbot-XH is a network worm with backdoor Trojan functionality for
the Windows platform, that spreads through network shares protected by
weak passwords, MS-SQL servers and through various operating system
vulnerabilities.
W32/Sdbot-XH connects to a predetermined IRC channel and awaits further
commands from remote users. The backdoor component of W32/Sdbot-XH can
be instructed to perform the following functions:
scan networks for vulnerabilities
download/execute arbitrary files
start an ftp server
Patches for the vulnerabilities exploited by W32/Sdbot-XH can be
obtained from Microsoft at:
http://www.microsoft.com/technet/security/bulletin/MS02-039.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx
Advanced
W32/Sdbot-XH is a network worm with backdoor Trojan functionality for
the Windows platform.
When first run, W32/Sdbot-XH copies itself to the Windows system folder
as windesktop.exe, and in order to be able to run automatically when
Windows starts up sets the following registry entries in order to run
each time a user logs on:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Desktop Controler
windesktop.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Windows Desktop Controler
windesktop.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices\
Windows Desktop Controler
windesktop.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
Windows Desktop Controler
windesktop.exe
The worm sets the following registry entries, disabling the automatic
startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\
Start
4
Registry entries are also created under:
HKCU\Software\Microsoft\OLE\
HKLM\SOFTWARE\Microsoft\Ole\
The worm spreads through network shares protected by weak passwords,
MS-SQL servers and through various operating system vulnerabilities.
W32/Sdbot-XH connects to a predetermined IRC channel and awaits further
commands from remote users. The backdoor component of W32/Sdbot-XH can
be instructed to perform the following functions:
scan networks for vulnerabilities
download/execute arbitrary files
start an ftp server
Patches for the vulnerabilities exploited by W32/Sdbot-XH can be
obtained from Microsoft at:
http://www.microsoft.com/technet/security/bulletin/MS02-039.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx
W32/Sdbot-XH also drops a file to the current folder as msdirectx.sys.
The dropped file is detected by Sophos's anti-virus products as
Troj/NtRootK-F.
The worm changes the Windows HOSTS file in attempt to prevent access to
sites from the following list:
avp.com
ca.com
customer.symantec.com
dispatch.mcafee.com
download.mcafee.com
f-secure.com
kaspersky.com
kaspersky-labs.com
liveupdate.symantec.com
liveupdate.symantecliveupdate.com
mast.mcafee.com
mcafee.com
my-etrust.com
nai.com
networkassociates.com
rads.mcafee.com
secure.nai.com
securityresponse.symantec.com
sophos.com
symantec.com
trendmicro.com
update.symantec.com
updates.symantec.com
us.mcafee.com
viruslist.com
www.avp.com
www.ca.com
www.f-secure.com
www.grisoft.com
www.kaspersky.com
www.mcafee.com
www.my-etrust.com
www.nai.com
www.networkassociates.com
www.sophos.com
www.symantec.com
www.trendmicro.com
www.viruslist.com
W32/Sdbot-XH terminates a number of processes including those related to
various AV and security applications as well as system tools and other
Worms and Trojans.
Name W32/Sober-M
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Sends itself to email addresses found on the infected computer
* Forges the sender's email address
* Uses its own emailing engine
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Sober-M is a mass-mailing worm.
The email sent by W32/Sober-M depends on the recipient address. Emails
sent to recipients whose email address is in the .de, .ch, .at, .li
domains or contains the string "gmx." will receive an email as follows:
Subject line: FwD: Ich bin's nochmal
Message text:
Verdammt,,,,
ich hatte vergessen Dir meinen Text mitzuschicken.
Aber bitte nicht woanders darueber Reden, ich wuerde mich dann zu Tode
blamieren!
Ich melde mich.
Bis bald ;)
Attached file: Private-Texte.zip
Email sent to other addresses will have the following characteristics:
Subject line: I've_got your EMail on my_account!
Message text:
Hello,
First, Very Sorry for my bad English.
Someone is sending your private e-mails on my address.
It's probably an e-mail provider error!
At time, I've got over 10 mails on my account, but the recipient are you.
I have copied all the mail text in the windows text-editor for you &
zipped then.
Make sure, that this mails don't come in my mail-box again.
bye
Attached file: your_text.zip
W32/Sober-M harvests email addresses from files with the following
strings in their filenames:
pmr phtm stm slk inbox imb csv bak imh xhtml imm imh cms nws vcf ctl
dhtm cgi pp ppt msg jsp oft vbs uin ldb abc pst cfg mdw mbx mdx mda adp
nab fdb vap dsp ade sln dsw mde frm bas adr cls ini ldif log mdb xml wsh
tbb abx abd adb pl rtf mmf doc ods nch xls nsf txt wab eml hlp mht nfo
php asp shtml dbx
W32/Sober-M avoids sending email to addresses that contain any of the
following strings:
@www @from. smtp- @smtp. ftp. .dial. .ppp. anyone @gmetref sql. someone
nothing you@ user@ reciver@ somebody secure whatever@ whoever@ anywhere
yourname mustermann@ mailer-daemon variabel noreply -dav law2 .qmail@
freeav @ca. abuse winrar domain. host. viren bitdefender spybot
detection ewido. emsisoft linux @foo. winzip @example. bellcore. @arin
@iana @avp icrosoft. @sophos @panda @kaspers free-av antivir virus
verizon. @ikarus. @nai. @messagelab nlpmail01. clock
Advanced
W32/Sober-M is a mass-mailing worm.
When first run, W32/Sober-M opens Notepad and displays a body of text
that starts:
UnPack failed
W32/Sober-M copies itself to the following location:
%WINDOWS%\Config\system\services.exe
and creates the following registry entries to ensure it is run at system
logon:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
_SystemCheck
%WINDOWS%\Config\system\services.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SystemCheck
%WINDOWS%\Config\system\services.exe
W32/Sober-M creates a base64 encoded ZIP archived copy of itself in the
following location:
%WINDOWS%\Config\system\zipped.wrm
as well as the harmless data file maddys.xyz which can be deleted.
W32/Sober-M also creates the following data files:
%SYSTEM%\adcmmmmq.hjg
%SYSTEM%\langeinf.lin
%SYSTEM%\nonrunso.ber
%SYSTEM%\xcvfpokd.tqa
The email sent by W32/Sober-M depends on the recipient address. Emails
sent to recipients whose email address is in the .de, .ch, .at, .li
domains or contains the string "gmx." will receive an email as follows:
Subject line: FwD: Ich bin's nochmal
Message text:
Verdammt,,,,
ich hatte vergessen Dir meinen Text mitzuschicken.
Aber bitte nicht woanders darueber Reden, ich wuerde mich dann zu Tode
blamieren!
Ich melde mich.
Bis bald ;)
Attached file: Private-Texte.zip
Email sent to other addresses will have the following characteristics:
Subject line: I've_got your EMail on my_account!
Message text:
Hello,
First, Very Sorry for my bad English.
Someone is sending your private e-mails on my address.
It's probably an e-mail provider error!
At time, I've got over 10 mails on my account, but the recipient are you.
I have copied all the mail text in the windows text-editor for you &
zipped then.
Make sure, that this mails don't come in my mail-box again.
bye
Attached file: your_text.zip
W32/Sober-M harvests email addresses from files with the following
strings in their filenames:
pmr phtm stm slk inbox imb csv bak imh xhtml imm imh cms nws vcf ctl
dhtm cgi pp ppt msg jsp oft vbs uin ldb abc pst cfg mdw mbx mdx mda adp
nab fdb vap dsp ade sln dsw mde frm bas adr cls ini ldif log mdb xml wsh
tbb abx abd adb pl rtf mmf doc ods nch xls nsf txt wab eml hlp mht nfo
php asp shtml dbx
W32/Sober-M avoids sending email to addresses that contain any of the
following strings:
@www @from. smtp- @smtp. ftp. .dial. .ppp. anyone @gmetref sql. someone
nothing you@ user@ reciver@ somebody secure whatever@ whoever@ anywhere
yourname mustermann@ mailer-daemon variabel noreply -dav law2 .qmail@
freeav @ca. abuse winrar domain. host. viren bitdefender spybot
detection ewido. emsisoft linux @foo. winzip @example. bellcore. @arin
@iana @avp icrosoft. @sophos @panda @kaspers free-av antivir virus
verizon. @ikarus. @nai. @messagelab nlpmail01. clock
Name Troj/Kelvir-P
Type
* Trojan
How it spreads
* Chat programs
Affected operating systems
* Windows
Side effects
* Modifies data on the computer
Prevalence (1-5) 2
Description
Troj/Kelvir-P is a Trojan for the Windows platform.
The Trojan monitors the status of Windows Messenger contacts and sends
the following text to all online contacts:
Hey look at this
http://<domain>/profile.php?email=<infected user's email address>
Name W32/Sdbot-XH
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Steals information
* Drops more malware
* Downloads code from the internet
* Reduces system security
Aliases
* WORM_SDBOT.BHU
* W32.Spybot.Worm
Prevalence (1-5) 2
Description
W32/Sdbot-XH is a network worm with backdoor Trojan functionality for
the Windows platform, that spreads through network shares protected by
weak passwords, MS-SQL servers and through various operating system
vulnerabilities.
W32/Sdbot-XH connects to a predetermined IRC channel and awaits further
commands from remote users. The backdoor component of W32/Sdbot-XH can
be instructed to perform the following functions:
scan networks for vulnerabilities
download/execute arbitrary files
start an ftp server
Patches for the vulnerabilities exploited by W32/Sdbot-XH can be
obtained from Microsoft at:
http://www.microsoft.com/technet/security/bulletin/MS02-039.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx
Advanced
W32/Sdbot-XH is a network worm with backdoor Trojan functionality for
the Windows platform.
When first run, W32/Sdbot-XH copies itself to the Windows system folder
as windesktop.exe, and in order to be able to run automatically when
Windows starts up sets the following registry entries in order to run
each time a user logs on:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Desktop Controler
windesktop.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Windows Desktop Controler
windesktop.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices\
Windows Desktop Controler
windesktop.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
Windows Desktop Controler
windesktop.exe
The worm sets the following registry entries, disabling the automatic
startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\
Start
4
Registry entries are also created under:
HKCU\Software\Microsoft\OLE\
HKLM\SOFTWARE\Microsoft\Ole\
The worm spreads through network shares protected by weak passwords,
MS-SQL servers and through various operating system vulnerabilities.
W32/Sdbot-XH connects to a predetermined IRC channel and awaits further
commands from remote users. The backdoor component of W32/Sdbot-XH can
be instructed to perform the following functions:
scan networks for vulnerabilities
download/execute arbitrary files
start an ftp server
Patches for the vulnerabilities exploited by W32/Sdbot-XH can be
obtained from Microsoft at:
http://www.microsoft.com/technet/security/bulletin/MS02-039.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx
W32/Sdbot-XH also drops a file to the current folder as msdirectx.sys.
The dropped file is detected by Sophos's anti-virus products as
Troj/NtRootK-F.
The worm changes the Windows HOSTS file in attempt to prevent access to
sites from the following list:
avp.com
ca.com
customer.symantec.com
dispatch.mcafee.com
download.mcafee.com
f-secure.com
kaspersky.com
kaspersky-labs.com
liveupdate.symantec.com
liveupdate.symantecliveupdate.com
mast.mcafee.com
mcafee.com
my-etrust.com
nai.com
networkassociates.com
rads.mcafee.com
secure.nai.com
securityresponse.symantec.com
sophos.com
symantec.com
trendmicro.com
update.symantec.com
updates.symantec.com
us.mcafee.com
viruslist.com
www.avp.com
www.ca.com
www.f-secure.com
www.grisoft.com
www.kaspersky.com
www.mcafee.com
www.my-etrust.com
www.nai.com
www.networkassociates.com
www.sophos.com
www.symantec.com
www.trendmicro.com
www.viruslist.com
W32/Sdbot-XH terminates a number of processes including those related to
various AV and security applications as well as system tools and other
Worms and Trojans.
Name Troj/Delbot-B
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Drops more malware
* Uses its own emailing engine
* Downloads code from the internet
Prevalence (1-5) 2
Description
Troj/Delbot-B is a IRC backdoor Trojan for the Windows platform.
Troj/Delbot-B will connect to a preconfigured server and open up a
backdoor, allowing unauthorised remote access to remote attackers. The
Trojan can receive commands from the attacker to control the infected
computer. The Trojan can be instructed to:
Download code
Participate in DDoS
Send email
Shutdown the infected system
Start and stop processes
Advanced
Troj/Delbot-B is a IRC backdoor Trojan for the Windows platform.
Troj/Delbot-B will connect to a preconfigured server and open up a
backdoor, allowing unauthorised remote access to remote attackers. The
Trojan can receive commands from the attacker to control the infected
computer. The Trojan can be instructed to:
Download code
Participate in DDoS
Send email
Shutdown the infected system
Start and stop processes
Troj/Delbot-B will copy itself to the windows folder as cftmon.exe and
mirc.dll and perodically set the following registry entry in case it is
removed:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
ctfmon
"<Windows folder>\cftmon.exe"
Troj/Delbot-B may attempt to terminate processes associated with the
following executables:
'_AVPCC'
'ACKWIN32'
'AD-AWARE'
'ADMINTOOL'
'ADVXDWIN'
'AGENTA'
'AGENTSVR'
'ALERTSVC'
'ALOGSERV'
'AMON9X'
'ANTI-TROJAN'
'ANTITROJ'
'ANTIVIRUS'
'APIMONITOR'
'APLICA32'
'APVXDWIN'
'ASHDISP'
'ASHQUICK'
'ATGUARD'
'ATRO55EN'
'ATUPDATER'
'ATWATCH'
'AUTODOWN'
'AUTOTRACE'
'AVCONSOL'
'AVENGINE'
'AVGCC32'
'AVGCTRL'
'AVGSERV'
'AVGSERV9'
'AVGUARD'
'AVKPOP'
'AVKSERV'
'AVKSERVICE'
'AVKWCTL'
'AVKWCTL9'
'AVSCHED32'
'AVSYNMGR'
'AVWINNT'
'AVXGUI'
'AVXLIVE'
'AVXMONITOR9X'
'AVXMONITORNT'
'AVXQUAR'
'BD_PROFESSIONAL'
'BIDSERVER'
'BLACKD'
'BLACKICE'
'BOOTSCAN'
'BOOTWARN'
'CCEVTMGR'
'CFGINTPR'
'CFGWIZ'
'CFIADMIN'
'CFIAUDIT'
'CFINET'
'CFINET32'
'CLAW95'
'CLAW95CF'
'CLEANER'
'CLEANER3'
'CLEANPC'
'CMGRDIAN'
'CMON016'
'CONNECTIONMONITOR'
'CPFNT206'
'CWNB181'
'CWNTDWMO'
'DEFSCANGUI'
'DEFWATCH'
'DEPUTY'
'DPATROL'
'DRWEB32'
'DRWEBSCD'
'ECENGINE'
'EFPEADM'
'ESCANH95'
'ESCANHNT'
'ESCANV95'
'ESPWATCH'
'ETRUSTCIPE'
'EXANTIVIRUS-CNET'
'EXPERT'
'F-AGNT95'
'F-PROT'
'F-PROT95'
'F-STOPW'
'FAMEH32'
'FINDVIRU'
'FIREWALL'
'FLOWPROTECTOR'
'FNRB32'
'FP-WIN'
'FSAV32'
'FSAV530STBYB'
'FSAVSTRT'
'FSGK32'
'FSMA32'
'FSMB32'
'GBMENU'
'GBPOLL'
'GENERICS'
'GLADIATOR'
'GUARDDOG'
'GUARDER'
'HACKERELIMINATOR'
'HACKTRACERSETUP'
'IAMAPP'
'IAMSERV'
'IAMSTATS'
'IBMASN'
'IBMAVSP'
'ICLOAD95'
'ICLOADNT'
'ICSUPP95'
'ICSUPPNT'
'IOMON98'
'IPARMOR'
'ISRV95'
'JAMMER'
'KAVLITE40ENG'
'MCVSSHLD'
'MFW2EN'
'MGAVRTCL'
'MGAVRTE'
'MGHTML'
'MGUTIL'
'MINILOG'
'MONITOR'
'MOOLIVE'
'MPFTRAY'
'MSSMMC32'
'MWATCH'
'N32SCANW'
'NAVAPSVC'
'NAVAPW32'
'NAVLU32'
'NAVSTUB'
'NAVW32'
'NAVWNT'
'NEOWATCHLOG'
'NEOWATCHTRAY'
'NETARMOR'
'NETINFO'
'NETMON'
'NETSCANPRO'
'NETSPYHUNTER-1.2'
'NETUTILS'
'NISSERV'
'NORMIST'
'NPFMESSENGER'
'NPSSVC'
'NSCHED32'
'NTRTSCAN'
'NTXCONFIG'
'NVARCH16'
'NWSERVICE'
'NWTOOL16'
'OSTRONET'
'OUTPOST'
'PADMIN'
'PANIXK'
'PAVFIRES'
'PAVPROXY'
'PAVSRV51'
'PCCCLIENT'
'PCCGUIDE'
'PCCIOMON'
'PCCNTMON'
'PCCPFW'
'PCCWIN97'
'PCCWIN98'
'PCFWALLICON'
'PCSCAN'
'PERISCOPE'
'PERSFW'
'PFWADMIN'
'PINGSCAN'
'PLATIN'
'POP3TRAP'
'POPROXY'
'PORTDETECTIVE'
'PORTMONITOR'
'PPVSTOP'
'PRAZNA'
'PROCMAN'
'PROGRAMAUDITOR'
'PROPORT'
'PROTECTX'
'PVIEW95'
'QCONSOLE'
'QSERVER'
'QTTASK'
'RAPAPP'
'RAV7WIN'
'RAV8WIN32ENG'
'RAVMON'
'RAVWIN8'
'REALMON'
'RMVTRJAN'
'RRGUARD'
'RSHELL'
'RTVSCN95'
'RULAUNCH'
'SAFEWEB'
'SBSERV'
'SCAN32'
'SCANPM'
'SCRSCAN'
'SGSSFW32'
'SPHINX'
'SS3EDIT'
'SUPFTRL'
'SUPPORTER5'
'SWEEP95'
'SWNETSUP'
'SYMPROXYSVC'
'TASKALERT'
'TAUMON'
'TAUSCAN'
'TBSCAN'
'TDS2-NT'
'THGUARD'
'TITANIN'
'TITANINXP'
'TRJSCAN'
'TROJAN'
'TROJANHUNTER'
'TROJANTRAP3'
'TUCONF'
'TWEAK-XP'
'UMXAGENT'
'UMXLDRA'
'V530WTBYB'
'VBCMSERV'
'VBCONS'
'VBWIN9X'
'VBWINNTW'
'VETTRAY'
'VIR-HELP'
'VNLAN300'
'VPFW30S'
'VPTR AY'
'VPTRAY'
'VSCAN40'
'VSCHED'
'VSECOMR'
'VSHWIN32'
'VSMAIN'
'VSSTAT'
'WATCHDOG'
'WATCHER'
'WEBSCANX'
'WEBTRAP'
'WFINDV32'
'WGFE95'
'WIMMUN32'
'WINGATE'
'WINRECON'
'WINROUTE'
'WRADMIN'
'WRCTRL'
'WSBGATE'
'XCOMMSVR'
'XPF202EN'
'ZATUTOR'
'ZAUINST'
'ZONALM2601'
'ZONEALARM'
Troj/Delbot-B will also drop two files to the Windows folder,
0.0(harmless) and br.dll(detected as Troj/Delbot-B).
Name W32/Agobot-RN
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Agobot-RN is a network worm with backdoor functionality for the
Windows platform.
The worm allows a remote intruder to gain access and control over the
computer via IRC channels.
Advanced
W32/Agobot-RN is a network worm with backdoor functionality for the
Windows platform.
The worm allows a remote intruder to gain access and control over the
computer via IRC channels.
The worm also modifies the system HOSTS file in order to prevent access
to certain websites.
When first run the worm copies itself to ip7.exe in the Windows system
folder.
The following registry entries are created to run ip7.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Configuration Loader10
ip7.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Configuration Loader10
ip7.exe
Registry entries are also created under:
HKCR\CLSID\{279816C0-3158-13D1-B2E4-0060975B8649}
Name Troj/Dloader-LW
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Aliases
* Trojan-Downloader.Win32.Delf.le
Prevalence (1-5) 2
Description
Troj/Dloader-LW is a downloader Trojan for the Windows platform.
The Trojan copies itself to %SYSTEM%\service.exe and runs in the
background.
Troj/Dloader-LW attempts to download files to %SYSTEM%\tcpimon.dll from
predefined websites and open Internet Explorer with a URL obtained from
the downloaded files.
Name Troj/Banker-CH
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Uses its own emailing engine
* Records keystrokes
* Installs itself in the Registry
Aliases
* Trojan-Spy.Win32.Banker.oq
Prevalence (1-5) 2
Description
Troj/Banker-CH is a password stealing Trojan for the Windows platform.
Troj/Banker-CH monitors which URLs are visited by the web browser and
creates fake web pages for certain Brazilian banking sites in order to
log account information. The logged information is sent to remote users
via email.
Advanced
Troj/Banker-CH is a password stealing Trojan for the Windows platform.
Troj/Banker-CH creates the following registry entry using the name of
the file when executed to ensure it is run at system logon:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
<filename>
<path and filename>
Troj/Banker-CH monitors which URLs are visited by the web browser and
creates fake web pages for certain Brazilian banking sites in order to
log account information. The logged information is sent to remote users
via email.
Name W32/Agobot-RM
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Steals information
* Reduces system security
* Installs itself in the Registry
Aliases
* Backdoor.Win32.Agobot.abq
Prevalence (1-5) 2
Description
W32/Agobot-RM is a network worm with a backdoor Trojan component.
W32/Agobot-RM is capable of spreading to computers on the local network
protected by weak passwords after receiving the appropriate backdoor
command.
W32/Agobot-RM can also spread by exploiting the following
vulnerabilities:
DCOM (MS04-012)
LSASS (MS04-011)
UPNP (MS01-059)
Workstation Service (MS03-049)
WebDav (MS03-007)
DameWare (CAN-2003-1030)
Microsoft SQL servers with weak passwords.
Backdoors left open by other worms and Trojans.
Advanced
When first run, W32/Agobot-RM copies itself to the Windows system folder
as CRSS.EXE and runs this copy of the worm. The copy will then attempt
to delete the original file. In order to run each time a user logs on,
W32/Agobot-RM will set the following registry entries:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
CRSS
CRSS.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
CRSS
CRSS.exe
The worm runs continuously in the background providing backdoor access
to the computer.
W32/Agobot-RM will append entries to the HOSTS file in the
<SYSTEM>\drivers\etc folder. The file contains a list of websites each
bound to the IP loopback address. This prevents access to a list of
anti-virus and security related websites. For example,
127.0.0.1 sophos.com
127.0.0.1 www.sophos.com
The backdoor component of W32/Agobot-RM may be used to:
Initiate Denial-RM-Service (DOS) attacks.
Redirect GRE, TCP, HTTP, HTTPS, SOCKS4 and SOCKS5 traffic.
Download, upload, delete and execute files.
Set up an FTP file server.
Steal passwords (including PayPal account information).
List and kill processes.
Stop, start, pause and delete services.
Modify the registry.
Open and close vulnerabilities.
Port scan for vulnerabilities on other remote computers.
Flush the DNS cache.
Log keyboard presses.
Shut down and reboot the computer.
Add and delete network shares, groups and users.
Sniff network traffic for passwords.
Steal email addresses from the computer.
W32/Agobot-RM may alter the following registry entry in order to
enable/disable DCOM:
HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM
W32/Agobot-RM is capable of adding and deleting the C$, D$, E$, IPC$ and
ADMIN$ network shares.
W32/Agobot-RM may steal the Windows Product ID and keys from several
computer applications or games.
W32/Agobot-RM can be instructed to harvest email addresses from the
infected computer by searching the Windows Address Book, used by
Microsoft Outlook and Outlook Express. The worm can also harvest email
addresses from Microsoft Messenger.
W32/Agobot-RM will attempt to terminate a number of anti-virus and
security-related processes in addition to other viruses, worms and
Trojans.
--- MultiMail/Win32 v0.43
* Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)
|