Tillbaka till svenska Fidonet
English   Information   Debug  
COMICS   0/15
CONSPRCY   0/899
COOKING   33421
COOKING_OLD1   0/24719
COOKING_OLD2   0/40862
COOKING_OLD3   0/37489
COOKING_OLD4   0/35496
COOKING_OLD5   9370
C_ECHO   0/189
C_PLUSPLUS   0/31
DIRTY_DOZEN   0/201
DOORGAMES   0/2065
DOS_INTERNET   0/196
duplikat   6002
ECHOLIST   0/18295
EC_SUPPORT   0/318
ELECTRONICS   0/359
ELEKTRONIK.GER   1534
ENET.LINGUISTIC   0/13
ENET.POLITICS   0/4
ENET.SOFT   0/11701
ENET.SYSOP   33945
ENET.TALKS   0/32
ENGLISH_TUTOR   0/2000
EVOLUTION   0/1335
FDECHO   0/217
FDN_ANNOUNCE   0/7068
FIDONEWS   24159
FIDONEWS_OLD1   0/49742
FIDONEWS_OLD2   0/35949
FIDONEWS_OLD3   0/30874
FIDONEWS_OLD4   0/37224
FIDO_SYSOP   12852
FIDO_UTIL   0/180
FILEFIND   0/209
FILEGATE   0/212
FILM   0/18
FNEWS_PUBLISH   4436
FN_SYSOP   41705
FN_SYSOP_OLD1   71952
FTP_FIDO   0/2
FTSC_PUBLIC   0/13611
FUNNY   0/4886
GENEALOGY.EUR   0/71
GET_INFO   105
GOLDED   0/408
HAM   0/16074
HOLYSMOKE   0/6791
HOT_SITES   0/1
HTMLEDIT   0/71
HUB203   466
HUB_100   264
HUB_400   39
HUMOR   0/29
IC   0/2851
INTERNET   0/424
INTERUSER   0/3
IP_CONNECT   719
JAMNNTPD   0/233
JAMTLAND   0/47
KATTY_KORNER   0/41
LAN   0/16
LINUX-USER   0/19
LINUXHELP   0/1155
LINUX   0/22112
LINUX_BBS   0/957
mail   18.68
mail_fore_ok   249
MENSA   0/341
MODERATOR   0/102
MONTE   0/992
MOSCOW_OKLAHOMA   0/1245
MUFFIN   0/783
MUSIC   0/321
N203_STAT   930
N203_SYSCHAT   313
NET203   321
NET204   69
NET_DEV   0/10
NORD.ADMIN   0/101
NORD.CHAT   0/2572
NORD.FIDONET   189
NORD.HARDWARE   0/28
NORD.KULTUR   0/114
NORD.PROG   0/32
NORD.SOFTWARE   0/88
NORD.TEKNIK   0/58
NORD   0/453
OCCULT_CHAT   0/93
OS2BBS   0/787
OS2DOSBBS   0/580
OS2HW   0/42
OS2INET   0/37
OS2LAN   0/134
OS2PROG   0/36
OS2REXX   0/113
OS2USER-L   207
OS2   0/4786
OSDEBATE   0/18996
PASCAL   0/490
PERL   0/457
PHP   0/45
POINTS   0/405
POLITICS   0/29554
POL_INC   0/14731
PSION   103
R20_ADMIN   1123
R20_AMATORRADIO   0/2
R20_BEST_OF_FIDONET   13
R20_CHAT   0/893
R20_DEPP   0/3
R20_DEV   399
R20_ECHO2   1379
R20_ECHOPRES   0/35
R20_ESTAT   0/719
R20_FIDONETPROG...
...RAM.MYPOINT
  0/2
R20_FIDONETPROGRAM   0/22
R20_FIDONET   0/248
R20_FILEFIND   0/24
R20_FILEFOUND   0/22
R20_HIFI   0/3
R20_INFO2   3249
R20_INTERNET   0/12940
R20_INTRESSE   0/60
R20_INTR_KOM   0/99
R20_KANDIDAT.CHAT   42
R20_KANDIDAT   28
R20_KOM_DEV   112
R20_KONTROLL   0/13299
R20_KORSET   0/18
R20_LOKALTRAFIK   0/24
R20_MODERATOR   0/1852
R20_NC   76
R20_NET200   245
R20_NETWORK.OTH...
...ERNETS
  0/13
R20_OPERATIVSYS...
...TEM.LINUX
  0/44
R20_PROGRAMVAROR   0/1
R20_REC2NEC   534
R20_SFOSM   0/341
R20_SF   0/108
R20_SPRAK.ENGLISH   0/1
R20_SQUISH   107
R20_TEST   2
R20_WORST_OF_FIDONET   12
RAR   0/9
RA_MULTI   106
RA_UTIL   0/162
REGCON.EUR   0/2056
REGCON   0/13
SCIENCE   0/1206
SF   0/239
SHAREWARE_SUPPORT   0/5146
SHAREWRE   0/14
SIMPSONS   0/169
STATS_OLD1   0/2539.065
STATS_OLD2   0/2530
STATS_OLD3   0/2395.095
STATS_OLD4   0/1692.25
SURVIVOR   0/495
SYSOPS_CORNER   0/3
SYSOP   0/84
TAGLINES   0/112
TEAMOS2   0/4530
TECH   0/2617
TEST.444   0/105
TRAPDOOR   0/19
TREK   0/755
TUB   0/290
UFO   0/40
UNIX   0/1316
USA_EURLINK   0/102
USR_MODEMS   0/1
VATICAN   0/2740
VIETNAM_VETS   0/14
VIRUS   0/378
VIRUS_INFO   0/201
VISUAL_BASIC   0/473
WHITEHOUSE   0/5187
WIN2000   0/101
WIN32   0/30
WIN95   0/4289
WIN95_OLD1   0/70272
WINDOWS   0/1517
WWB_SYSOP   0/419
WWB_TECH   0/810
ZCC-PUBLIC   0/1
ZEC   4

 
4DOS   0/134
ABORTION   0/7
ALASKA_CHAT   0/506
ALLFIX_FILE   0/1313
ALLFIX_FILE_OLD1   0/7997
ALT_DOS   0/152
AMATEUR_RADIO   0/1039
AMIGASALE   0/14
AMIGA   0/331
AMIGA_INT   0/1
AMIGA_PROG   0/20
AMIGA_SYSOP   0/26
ANIME   0/15
ARGUS   0/924
ASCII_ART   0/340
ASIAN_LINK   0/651
ASTRONOMY   0/417
AUDIO   0/92
AUTOMOBILE_RACING   0/105
BABYLON5   0/17862
BAG   135
BATPOWER   0/361
BBBS.ENGLISH   0/382
BBSLAW   0/109
BBS_ADS   0/5290
BBS_INTERNET   0/507
BIBLE   0/3563
BINKD   0/1119
BINKLEY   0/215
BLUEWAVE   0/2173
CABLE_MODEMS   0/25
CBM   0/46
CDRECORD   0/66
CDROM   0/20
CLASSIC_COMPUTER   0/378
Möte DIRTY_DOZEN, 201 texter
 lista första sista föregående nästa
Text 40, 2052 rader
Skriven 2005-05-14 12:53:00 av KURT WISMER (1:123/140)
Ärende: News, May 14 2005
=========================
[cut-n-paste from sophos.com]

Name   W32/Bagz-D

Type  
    * Worm

How it spreads  
    * Email attachments

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Sends itself to email addresses found on the infected computer
    * Forges the sender's email address
    * Uses its own emailing engine
    * Downloads code from the internet

Aliases  
    * I-Worm.Bagz.d

Prevalence (1-5) 3

Description
W32/Bagz-D is mass mailing network worm that also contains a backdoor 
which allows an intruder to download and install further components.

W32/Bagz-D will attempt to harvest email addresses from TXT, HTM, DBX, 
TBI and TBB files, which it will use for both the to and from addresses 
of emails that it sends.

The worm will also attempt to terminate anti-virus software.

Advanced
W32/Bagz-D is mass mailing network worm that also contains a backdoor 
which allows an intruder to download and install further components.

W32/Bagz-D will attempt to harvest email addresses from TXT, HTM, DBX, 
TBI and TBB files, which it will use for both the to and from addresses 
of emails that it sends.

The sent email will have the following characteristics:

Subject line:

ASAP
please responce
Read this
urgent
toxic
contract
Money
office
Have a nice day
Hello
Russian's
Amirecans
attachments
attach
waiting
best regards
Administrator
Warning
text
Vasia
re: Andrey
re: please
re: order
Allert!

Attachment (ZIP format):

backup.zip
admin.zip
archivator.zip
about.zip
readme.zip
help.zip
photos.zip
payment.zip
archives.zip
manual.zip
inbox.zip
outbox.zip
save.zip
rar.zip
zip.zip
ataches.zip
documentation.zip
docs.zip

Attachment (EXE format):

backup.doc (spaces) .exe
admin.doc (spaces) .exe
archivator.doc (spaces) .exe
about.doc (spaces) .exe
readme.doc (spaces) .exe
help.doc (spaces) .exe
photos.doc (spaces) .exe
payment.doc (spaces) .exe
archives.doc (spaces) .exe
manual.doc (spaces) .exe
inbox.doc (spaces) .exe
outbox.doc (spaces) .exe
save.doc (spaces) .exe
rar.doc (spaces) .exe
zip.doc (spaces) .exe
ataches.doc (spaces) .exe
documentation.doc (spaces) .exe
docs.doc (spaces) .exe
sysboot.doc (spaces) .exe

W32/Bagz-D will keep a copy of the files that it sends in the Windows 
system32 folder. The worm also drops the following components in to that 
folder:

run32.exe (Detected as component of W32/Bagz-C)
rpc32.exe
ipdb.dll
wdate.dll
jobdb.dll

W32/Bagz-D will also modify the %system32%/drivers/etc/hosts file in 
order to prevent access to major virus vendors websites.

The worm will install itself as a service called RPC32.





Name   W32/Bagz-B

Type  
    * Worm

How it spreads  
    * Email attachments

Affected operating systems  
    * Windows

Side effects  
    * Sends itself to email addresses found on the infected computer
    * Forges the sender's email address
    * Uses its own emailing engine
    * Downloads code from the internet
    * Installs itself in the Registry

Aliases  
    * I-Worm.Bagz.b
    * W32/Bagz.b@MM

Prevalence (1-5) 2

Description
W32/Bagz-B is mass mailing network worm. It also contains a backdoor 
which allows an intruder to instruct it to download and install further 
components.

W32/Bagz-B may also try to disable the Windows default firewall on 
startup.

W32/Bagz-B will attempt to harvest email addresses from the "Document 
and setting" folder on the local machine with names such as *.txt, 
*.htm, *.htm, *,dbx, *.tbi, *.tbb.

Advanced
The email it sends will contain an attachment either in ZIP format or in 
a binary file. It will contain the following subject lines:

"last request before refunding"
"re: user id update"
"fwd: your funds are eligible for withdrawal"
"find a solution with this customer"
"no subject"
"re: help desk registration"
"failure notice"
"fwd: password"
"when should i call you?"
"re: re: a question"
"knowledge base article"
"open invoices"
"returned mail: see transcript for details"
"building maintenance"
"[fwd: broken link]"
"winxp"
"troubles are back again"
"questions"
"order approval"
"units available"
"progress news"
"big announcements"
"need help pls"
"you have recieved an ecard!"
"what is this ????"
"deactivation notice"
"message recieved, please confirm"
"my funny stories"
"cost inquiry"
"re: payment"
"referrences"
"webmail invite"
"re: quote request"

Attachments can use the following names:

arch.doc<spaces>.exe
arch.zip
archive.doc<spaces>.exe
archive.zip
atach.doc<spaces>.exe
atach.zip
att.doc<spaces>.exe
att.zip
contact.doc<spaces>.exe
contact.zip
db.doc<spaces>.exe
db.zip
dl.exe
doc.doc<spaces>.exe
doc.zip
documents.doc<spaces>.exe
documents.zip
file.doc<spaces>.exe
file.zip
ipdb.dll
jobdb.dll
mail.doc<spaces>.exe
mail.zip
message.doc<spaces>.exe
message.zip
messages.doc<spaces>.exe
messages.zip
msg.doc<spaces>.exe
msg.zip
read.doc<spaces>.exe
read.zip
readme.doc<spaces>.exe
readme.zip
support.doc<spaces>.exe
support.zip
syslogin.exe
tutorial.doc<spaces>.exe
warning.doc<spaces>.exe
warning.zip

W32/Bagz-B will keep a copy of the above files in the folder %system32%. 
Other than the above, it will also drop the following components:

%system32%/dl.exe
%system32%/syslogin.exe
%system32%/ipdb.dll
%system32%/jobdb.dll

And also create the following autorun registry entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
syslogin.exe = syslogin.exe





Name   W32/Forbot-AR

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Reduces system security
    * Installs itself in the Registry

Aliases  
    * Backdoor.Win32.Wootbot.gen
    * W32/Gaobot.worm.gen.q
    * WORM_WOOTBOT.K

Prevalence (1-5) 2

Description
W32/Forbot-AR is a worm which attempts to spread to remote network 
shares.

W32/Forbot-AR also contains backdoor Trojan functionality, allowing 
unauthorised remote access to the infected computer via IRC channels 
while running in the background as a service process.

Advanced
W32/Forbot-AR is a worm which attempts to spread to remote network 
shares.

W32/Forbot-AR also contains backdoor Trojan functionality, allowing 
unauthorised remote access to the infected computer via IRC channels 
while running in the background as a service process.

W32/Forbot-AR copies itself to the Windows system folder as 
securitychk.exe and creates entries in the registry at the following 
locations to run itself on system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Secure Messenger.NET Service
securitychk.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\Win32 USB2 Driver
Microsoft Secure Messenger.NET Service
securitychk.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32 USB2 
Driver
Microsoft Secure Messenger.NET Service
securitychk.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Win32 USB2 Driver
Microsoft Secure Messenger.NET Service
securitychk.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\Win32 USB2 Driver
Microsoft Secure Messenger.NET Service
securitychk.exe

W32/Forbot-AR also creates its own service named
"Microsoft Secure Messenger.NET Service".





Name   W32/Mytob-CA

Type  
    * Worm

How it spreads  
    * Email attachments

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Allows others to access the computer
    * Sends itself to email addresses found on the infected computer
    * Modifies data on the computer
    * Steals information

Prevalence (1-5) 2

Description
W32/Mytob-CA is a mass-mailing worm and backdoor Trojan that can be 
controlled through the Internet Relay Chat (IRC) network.

W32/Mytob-CA also appends to the HOSTS file to deny access to security 
related websites.

W32/Mytob-CA is capable of spreading through email. Email sent by 
W32/Mytob-CA has the following properties:

Subject line:

Error
hello
Here is your documents.
Mail Delivery System
Mail Transaction Failed
Re: Thank you for delivery
something for you
Status

Message text:

'Mail transaction failed. Partial message is available.'
'Mail transaction failed. Partial message is available.'
'The message cannot be represented in 7-bit ASCII encoding and has been 
 sent as a binary attachment.'
'The message cannot be represented in 7-bit ASCII encoding and has been 
 sent as a binary attachment.'
'The message contains Unicode characters and has been sent as a binary 
 attachment.'
'The message contains Unicode characters and has been sent as a binary 
 attachment.'
'The original message was included as an attachment.'
'The original message was included as an attachment.'

Advanced
W32/Mytob-CA is a mass-mailing worm and backdoor Trojan that can be 
controlled through the Internet Relay Chat (IRC) network.

When first run W32/Mytob-CA copies itself to the Windows system folder 
as shell.exe and creates the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Windows Shell
"shell.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Windows Shell
"shell.exe"

W32/Mytob-CA also appends the following to the HOSTS file to deny access 
to security related websites:

127.0.0.1 avp.com
127.0.0.1 ca.com
127.0.0.1 customer.symantec.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 f-secure.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 kaspersky.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 mast.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 nai.com
127.0.0.1 networkassociates.com
127.0.0.1 rads.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 sophos.com
127.0.0.1 symantec.com
127.0.0.1 trendmicro.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 www.avp.com
127.0.0.1 www.ca.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.mcafee.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.my-etrust.com
127.0.0.1 www.nai.com
127.0.0.1 www.networkassociates.com
127.0.0.1 www.sophos.com
127.0.0.1 www.symantec.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.viruslist.com

W32/Mytob-CA is capable of spreading through email. Email sent by 
W32/Mytob-CA has the following properties:

Subject line:

Error
hello
Here is your documents.
Mail Delivery System
Mail Transaction Failed
Re: Thank you for delivery
something for you
Status

Message text:

'Mail transaction failed. Partial message is available.'
'Mail transaction failed. Partial message is available.'
'The message cannot be represented in 7-bit ASCII encoding and has been 
 sent as a binary attachment.'
'The message cannot be represented in 7-bit ASCII encoding and has been 
 sent as a binary attachment.'
'The message contains Unicode characters and has been sent as a binary 
 attachment.'
'The message contains Unicode characters and has been sent as a binary 
 attachment.'
'The original message was included as an attachment.'
'The original message was included as an attachment.'

The attached file consists of a base name followed by the extentions 
PIF, SCR, EXE or ZIP. The base names will be one of the following:

DOCUMENT
README
ATTACHMENT
creditcard
LETTER
PayPal

W32/Mytob-CA harvests email addresses from files on the infected 
computer and from the Windows address book. The worm avoids sending 
email to addresses that contain the following:

.gov
.mil
accoun
acketst
admin
anyone
arin.
avp
berkeley
borlan
bsd
bsd
bugs
ca
certific
contact
example
feste
fido
foo.
fsf.
gnu
gold-certs
google
google
gov.
help
iana
ibm.com
icrosof
icrosoft
ietf
info
inpris
isc.o
isi.e
kernel
linux
linux
listserv
math
me
mit.e
mozilla
mydomai
no
nobody
nodomai
noone
not
nothing
ntivi
page
panda
pgp
postmaster
privacy
rating
rfc-ed
ripe.
root
ruslis
samples
secur
sendmail
service
site
soft
somebody
someone
sopho
submit
support
syma
tanford.e
the.bat
unix
unix
usenet
utgers.ed
webmaster
you
your

W32/Mytob-CA may produce the file helllogger.txt which is a harmless 
text file used to log the activity of the user.





Name   W32/Mytob-CH

Type  
    * Worm

How it spreads  
    * Email attachments
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Sends itself to email addresses found on the infected computer
    * Modifies data on the computer
    * Drops more malware
    * Forges the sender's email address
    * Uses its own emailing engine

Aliases  
    * WORM_MYTOB.DA

Prevalence (1-5) 2

Description
W32/Mytob-CH is a mass-mailing worm and backdoor Trojan that can be 
controlled through the Internet Relay Chat (IRC) network.

W32/Mytob-CH copies itself to the root folder as:

funny_pic.scr
my_photo2005.scr
see_this!!.scr

and drops a file called hellmsn.exe (detected by Sophos as W32/Mytob-D) 
in the same location. This component attempts to spread the worm by 
sending the aforementioned SCR files through Windows Messenger to all 
online contacts.

W32/Mytob-CH is capable of spreading through email and through the LSASS 
(MS04-011) operating system vulnerability.

W32/Mytob-CH harvests email addresses from files on the infected 
computer and from the Windows address book as well as the Microsoft 
Internet Account Manager.

The following patch for the operating system vulnerability exploited by 
W32/Mytob-CH can be obtained from the Microsoft website:

LSASS (MS04-011) security vulnerability

Advanced
W32/Mytob-CH is a mass-mailing worm and backdoor Trojan that can be 
controlled through the Internet Relay Chat (IRC) network.

When first run W32/Mytob-CH copies itself to the Windows system folder 
as iexplorer.exe and creates the following registry entries:

HKLM\SOFTWARE\Microsoft\Ole
WINTASK
iexplorer.exe

HKCU\Software\Microsoft\Ole
WINTASK
iexplorer.exe

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
WINTASK
iexplorer.exe

HKCU\SYSTEM\CurrentControlSet\Control\Lsa
WINTASK
iexplorer.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
WINTASK
iexplorer.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WINTASK
iexplorer.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
WINTASK
iexplorer.exe

W32/Mytob-CH copies itself to the root folder as:

funny_pic.scr
my_photo2005.scr
see_this!!.scr

and drops a file called hellmsn.exe (detected by Sophos as W32/Mytob-D) 
in the same location. This component attempts to spread the worm by 
sending the aforementioned SCR files through Windows Messenger to all 
online contacts.

W32/Mytob-CH also appends the following to the HOSTS file to deny access 
to security related websites:

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.trendmicro.com

W32/Mytob-CH is capable of spreading through email and through the LSASS 
(MS04-011) operating system vulnerability.

Email sent by W32/Mytob-CH has the following properties:

Subject line chosen from:

Good day
hello
Mail Delivery System
Mail Transaction Failed
Server Report
Status
Error

Message text chosen from:

'Mail transaction failed. Partial message is available.'
'The message contains Unicode characters and has been sent as a binary 
 attachment.'
'The message cannot be represented in 7-bit ASCII encoding and has been 
 sent as a binary attachment.'
'The original message was included as an attachment.'
'Here are your banks documents.'

The attached file consists of a base name followed by the extentions 
PIF, SCR, EXE or ZIP. The worm may optionally create double extensions 
where the first extension is DOC, TXT or HTM and the final extension is 
PIF, SCR, EXE or ZIP.

W32/Mytob-CH harvests email addresses from files on the infected 
computer and from the Windows address book as well as the Microsoft 
Internet Account Manager.

The following patch for the operating system vulnerability exploited by 
W32/Mytob-CH can be obtained from the Microsoft website:

LSASS (MS04-011) security vulnerability





Name   Troj/Sqdrop-A

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Drops more malware

Prevalence (1-5) 2

Description
Troj/Sqdrop-A is a dropper Trojan for the Windows platform.

Troj/Sqdrop-A will drop two files to the Windows system folder as 
divxenc.exe and msld.dll. The Trojan will then execute divxenc.exe.

Advanced
Troj/Sqdrop-A is a dropper Trojan for the Windows platform.

Troj/Sqdrop-A will drop two files to the Windows system folder as 
divxenc.exe and msld.dll. The Trojan will then execute divxenc.exe.

Troj/Sqdrop-A will then create or modify the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
divx
<Windows system folder>\divxenc.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
divx
<Windows system folder>\divxenc.exe

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
Explorer.exe
<Windows system folder>\divxenc.exe





Name   W32/Eyeveg-F

Type  
    * Worm

How it spreads  
    * Email attachments

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Sends itself to email addresses found on the infected computer
    * Steals information
    * Forges the sender's email address
    * Uses its own emailing engine

Aliases  
    * Worm.Win32.Eyeveg.f
    * W32/Eyeveg.worm.gen

Prevalence (1-5) 2

Description
W32/Eyeveg-F is a worm for the Windows platform with backdoor 
capabilities.

W32/Eyeveg-F will send itself to email addresses found on the infected 
computer as a ZIP file.

W32/Eyeveg-F will also attempt to contact a predefined URL in order to 
get commands. The tasks that the worm can be instructed to perform are:

Keylogging
Monitoring web traffic
Sending email
Stealing passwords from infected computer

Advanced
W32/Eyeveg-F is a worm for the Windows platform with backdoor 
capabilities.

W32/Eyeveg-F will send itself to email addresses found on the infected 
computer as a ZIP file. The executable in the ZIP file will have one of 
the following names:

Details.doc .scr
Girls.jpg .scr
Image.jpg .scr
Love.jpg .scr
Message.txt .scr
Music.mp3 .scr
News.doc .scr
Photo.jpg .scr
Pic.jpg .scr
Resume.doc .scr
Screensaver .scr
Song.wav .scr
Video.avi .scr

The ZIP file's name and the subject will be the same as the name above 
without an extension.

W32/Eyeveg-F will also attempt to contact a predefined URL in order to 
get commands. The tasks that the worm can be instructed to perform are:

Keylogging
Monitoring web traffic
Sending email
Stealing passwords from infected computer

W32/Eyeveg-F will avoid sending email to addresses containing the 
following strings:

abuse
admin
hostmaster
localdomain
localhost
mcafee
messagelab
microsoft
noreply
postmaster
recipients
reports
root
spam
symantec
webmaster

W32/Eyeveg-F will copy itself to the Windows system folder with a random 
name. W32/Eyeveg-F will then create the following registry entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
<random>
<random>.exe





Name   W32/Kelvir-Gen

Type  
    * Worm

How it spreads  
    * Chat programs

Affected operating systems  
    * Windows

Prevalence (1-5) 2

Description
W32/Kelvir-Gen is a family of instant-messenging worms.

Members of W32/Kelvir-Gen spread by sending a message through Windows 
Messenger to the infected user's contacts. The message encourages the 
recipient to visit a web page to download a file that is often itself a 
member of W32/Kelvir-Gen.

Some members of W32/Kelvir-Gen also attempt to download and execute 
files from remote websites.





Name   Troj/Goldun-T

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Steals credit card details
    * Steals information
    * Reduces system security
    * Installs itself in the Registry

Aliases  
    * Trojan-Dropper.Win32.Agent.ku
    * Trojan-Spy.Win32.Goldun.ar
    * Trojan-Spy.Win32.Goldun.aq

Prevalence (1-5) 2

Description
Troj/Goldun-T is a password-stealing Trojan targeted at users of the 
e-gold online services.

The main dropper for Troj/Goldun-T usually pretends to be part of a new 
security system to allow secure access to the e-gold website and has 
been seen as an attachment to an email with the following message body:

Dear E-gold payment system users,

The recent cases of fraud, unauthorized withdrawal of cash from our
clients' accounts and recurred attempts of hackers to access our server
forced us to implement a new security system. The special program will
ensure safe connection of your computer to our server by means of a 
 unique
encoded key, specially generated for each account. Only the combination 
 of
your login, password and the key will allow you to access the system. The
program is enclosed to the message and doesn't need any installation. By
one click you will be connected to the server and the program will 
 generate
the key. After that you will enter your account from Internet Explorer,
which is absolutely safe. You will be signed out of the program
automatically after closing the window. See the detailed operational
instruction enclosed to the program.

We have to warn you, that if you want to be the user of our system in
future, you'll have to accept our rules and to use this program. 
 Otherwise
please call the numbers below to withdraw your funds. For the detailed
information please enter our site or use our hot line to contact us by
phone.

Our Contacts:

Phone (Worldwide) +1 321-951-1200
FAX (Worldwide) +1 321-956-0790

Best regards, E-gold.

Advanced
Troj/Goldun-T is a password-stealing Trojan targeted at users of the 
e-gold online services.

Troj/Goldun-T drops the files BOSKGJE.EXE and PINCH.EXE to the Windows 
temp folder. BOSKGJE.EXE is also detected as Troj/Goldun-T, and 
PINCH.EXE is detected as Troj/LdPinch-AZ.

The file dropped as BOSKGJE.EXE will drop the file IDMAS.DLL to the 
Windows system folder, also detected as Troj/Goldun-T. Before dropping 
and running the file DELT.BAT in the Windows temp folder in order to 
delete itself, it creates an entry in the registry at

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Browser Helper Objects\[68363724-9abc-def0-0fed-fad682644311]

and also entries in the registry under the following location to point 
to the dropped DLL:

HKCR\CLSID\[68363724-9abc-def0-0fed-fad682644311]\

The file dropped as IDMAS.DLL monitors access to www.e-gold.com and 
steals information about the user's account, sending it to a script at 
http://65.75.191.79.

The main dropper for Troj/Goldun-T usually pretends to be part of a new 
security system to allow secure access to the e-gold website and will 
display a fake message box entitled "E-gold security connect" with an 
e-gold image and "Connect" and "Exit" buttons. If the "Connect" button 
is pressed the box displays "Connecting", then "Runing", and finally 
attempts to open Microsoft Internet Explorer at the legitimate e-gold 
login page.

The main dropper for Troj/Goldun-T has been seen as an attachment to an 
email with the following message body:

Dear E-gold payment system users,

The recent cases of fraud, unauthorized withdrawal of cash from our
clients' accounts and recurred attempts of hackers to access our server
forced us to implement a new security system. The special program will
ensure safe connection of your computer to our server by means of a 
 unique
encoded key, specially generated for each account. Only the combination 
 of
your login, password and the key will allow you to access the system. The
program is enclosed to the message and doesn't need any installation. By
one click you will be connected to the server and the program will 
 generate
the key. After that you will enter your account from Internet Explorer,
which is absolutely safe. You will be signed out of the program
automatically after closing the window. See the detailed operational
instruction enclosed to the program.

We have to warn you, that if you want to be the user of our system in
future, you'll have to accept our rules and to use this program. 
 Otherwise
please call the numbers below to withdraw your funds. For the detailed
information please enter our site or use our hot line to contact us by
phone.

Our Contacts:

Phone (Worldwide) +1 321-951-1200
FAX (Worldwide) +1 321-956-0790

Best regards, E-gold.





Name   W32/Rbot-AAY

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Allows others to access the computer
    * Steals information
    * Downloads code from the internet
    * Modifies passwords
    * Records keystrokes

Prevalence (1-5) 2

Description
W32/Rbot-AAY is an IRC backdoor Trojan and network worm.

W32/Rbot-AAY may spread to remote network shares protected by weak 
passwords and computers vulnerable to common exploits. The worm also 
opens up a backdoor, allowing unauthorised remote access to infected 
computers via the IRC network, while running in the background as a 
service process.

The following patches for the operating system vulnerabilities exploited 
by W32/Rbot-AAY can be obtained from the Microsoft website:

MS04-012
MS04-011
MS03-049

W32/Rbot-AAY can receive commands from a remote intruder to delete 
network shares, log keypresses, participate in DDoS attacks, scan other 
computers for vulnerabilities, steal passwords, steal registration keys 
for computer games, create administrator accounts, terminate firewall 
and anti-virus processes and capture video from webcameras attached to 
the computer.

Advanced
W32/Rbot-AAY is an IRC backdoor Trojan and network worm.

W32/Rbot-AAY may spread to remote network shares protected by weak 
passwords and computers vulnerable to common exploits. The worm also 
opens up a backdoor, allowing unauthorised remote access to infected 
computers via the IRC network, while running in the background as a 
service process.

The following patches for the operating system vulnerabilities exploited 
by W32/Rbot-AAY can be obtained from the Microsoft website:

MS04-012
MS04-011
MS03-049

W32/Rbot-AAY can receive commands from a remote intruder to delete 
network shares, log keypresses, participate in DDoS attacks, scan other 
computers for vulnerabilities, steal passwords, steal registration keys 
for computer games, create administrator accounts, terminate firewall 
and anti-virus processes and capture video from webcameras attached to 
the computer.

W32/Rbot-AAY copies itself to the Windows system folder as "msaol32.exe" 
and creates the following registry entries in order to run automatically 
on computer login:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft AOL Instant Messenger
MSAOL32.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Microsoft AOL Instant Messenger
MSAOL32.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft AOL Instant Messenger
MSAOL32.exe





Name   W32/Agobot-SE

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Aliases  
    * Backdoor.Win32.Agobot.ace

Prevalence (1-5) 2

Description
W32/Agobot-SE is a network worm with backdoor functionality for the 
Windows platform.

W32/Agobot-SE connects to an IRC channel and listens for commands from a 
remote attacker. The worm may spread to remote network shares with weak 
passwords.

The following patches for the operating system vulnerabilities exploited 
by W32/Agobot-SE can be obtained from the Microsoft website:

MS04-011
MS04-012
MS03-049
MS02-039

Advanced
W32/Agobot-SE is a network worm with backdoor functionality for the 
Windows platform.

W32/Agobot-SE connects to an IRC channel and listens for commands from a 
remote attacker. The worm may spread to remote network shares with weak 
passwords.

The following patches for the operating system vulnerabilities exploited 
by W32/Agobot-SE can be obtained from the Microsoft website:

MS04-011
MS04-012
MS03-049
MS02-039

When first run the worm copies itself to the Windows system folder as 
system.exe. The following registry entries are created to run system.exe 
on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows
system.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Windows
system.exe

Registry entries are also set as follows:

HKCU\SOFTWARE\Microsoft\Ole
Windows
system.exe

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1





Name   Troj/Whistler-F

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Modifies data on the computer
    * Deletes files off the computer
    * Installs itself in the Registry
    * Leaves non-infected files on computer

Aliases  
    * Trojan.Win32.Dire.c
    * QDel247
    * Win32/Dire.C
    * TROJ_QDEL247.A

Prevalence (1-5) 2

Description
Troj/Whistler-F is a destructive Trojan for the Windows platform.

Troj/Whistler-F will attempt to delete files on the user's computer. The 
Trojan will also create a file at C:\WXP and copy it over other files. 
The file contains the message "You did a piracy, you deserve it."

Advanced
Troj/Whistler-F is a destructive Trojan for the Windows platform.

Troj/Whistler-F will attempt to delete files on the user's computer. The 
Trojan will also create a file at C:\WXP and copy it over other files. 
The file contains the message "You did a piracy, you deserve it."

When first run the Trojan copies itself to <SYSTEM>\whismng.exe.

The following registry entry is created to run whismng.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Whistler
<SYSTEM>\whismng.exe -n





Name   W32/Rbot-ACC

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Allows others to access the computer
    * Steals information
    * Downloads code from the internet
    * Reduces system security
    * Modifies passwords

Aliases  
    * W32/Rbot-ACC

Prevalence (1-5) 2

Description
W32/Rbot-ACC is a network worm with IRC backdoor functionality for the 
Windows platform.

W32/Rbot-ACC may spread to remote network shares protected by weak 
passwords and computers vulnerable to common exploits. The worm also 
opens up a backdoor, allowing unauthorised remote access to infected 
computers via the IRC network, while running in the background as a 
service process. The worm exploits vulnerabilities including: RPC-DCOM 
(MS04-12), LSASS (MS04-11) and WKS (MS03-049). The following patches for 
the operating system vulnerabilities exploited by W32/Rbot-ACC can be 
obtained from the Microsoft website:

MS02-039
MS04-011
MS04-012

W32/Rbot-ACC can receive commands from a remote intruder to delete 
network shares, log keypresses, participate in DDoS attacks, scan other 
computers for vulnerabilities, steal passwords, steal registration keys 
for computer games, create administrator accounts, terminate firewall 
and anti-virus processes and capture video from webcameras attached to 
the computer.

Advanced
W32/Rbot-ACC is a network worm with IRC backdoor functionality for the 
Windows platform.

W32/Rbot-ACC may spread to remote network shares protected by weak 
passwords and computers vulnerable to common exploits. The worm also 
opens up a backdoor, allowing unauthorised remote access to infected 
computers via the IRC network, while running in the background as a 
service process. The worm exploits vulnerabilities including: RPC-DCOM 
(MS04-12), LSASS (MS04-11) and WKS (MS03-049). The following patches for 
the operating system vulnerabilities exploited by W32/Rbot-ACC can be 
obtained from the Microsoft website:

MS02-039
MS04-011
MS04-012

W32/Rbot-ACC can receive commands from a remote intruder to delete 
network shares, log keypresses, participate in DDoS attacks, scan other 
computers for vulnerabilities, steal passwords, steal registration keys 
for computer games, create administrator accounts, terminate firewall 
and anti-virus processes and capture video from webcameras attached to 
the computer.

W32/Rbot-ACC copies itself to the Windows system folder as 
"trmupdate.exe" and creates the following registry entries in order to 
run automatically on computer log on:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
MS Unix Binary
trmupdate.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
MS Unix Binary
trmupdate.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MS Unix Binary
trmupdate.exe

The worm alters system security by setting the following registry 
entries:

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1





Name   W32/Wurmark-K

Type  
    * Worm

How it spreads  
    * Email attachments

Affected operating systems  
    * Windows

Side effects  
    * Sends itself to email addresses found on the infected computer
    * Deletes files off the computer
    * Drops more malware
    * Forges the sender's email address
    * Leaves non-infected files on computer

Aliases  
    * Email-Worm.Win32.Wurmark.j

Prevalence (1-5) 2

Description
W32/Wurmark-K is a mass-mailing worm.

W32/Wurmark-K emails itself as a ZIP file. When run, W32/Wurmark-K 
displays a JPEG image of an albino gorilla while installing itself on 
the computer.

The image displayed by the Wurmark-K worm
The image displayed by the Wurmark-K worm.

W32/Wurmark-K harvests email addresses from the infected computer and 
drops another piece of malware detected as W32/Rbot-ABK.

Emails sent by the worm have the following characteristics:

Subject lines:

Hehehe LOL!!
Your Photo Is On A Webpage!!
Hey Rate My Pic Plz...
Someone admire's you!

Message text:

I just saw this on my computer from a while ago
download it and see if you can remember it
lol i was lauging like crazy when i saw it! :D
email me back hehe...

I was vieweing this website and came across
a picture they look just like you! infact im sure
it is haha , did you email this pic into them ? or
is it someonce else :S ? pic is attached
a zip so download it and check & email me back!

Hi ive sent 5 emails now and nobody will rate
my pic!! :( please download and tell me what you
think out of 10 , dont worry if you dont like it
just say i wont be offended p.s i was drunk when
it was taken :P

Someone has asked us on there behalf to send
you this email and tell you they think you are
wonderfull!!! All the The mystery persons details
you need are enclosed in the attachment :)
please download and respond telling us if you
would like to make further contact with this
person.

Regards Hallmark Admirer Mail Admin.

ZIP filename:

Download.zip

Attachment filenames within the ZIP:

Scanned_03.scr
Sexy_02.scr
IMG_001.scr
Admirer_005.scr
Photo_01.pif
Lover_01.scr
Your_Pic.scr
Just_For_You.pif

Advanced
W32/Wurmark-K is a mass-mailing worm.

W32/Wurmark-K emails itself as a ZIP file. When run, W32/Wurmark-K 
displays a JPEG image of an albino gorilla while installing itself on 
the computer.

The image displayed by the Wurmark-K worm
The image displayed by the Wurmark-K worm.

W32/Wurmark-K harvests email addresses from the infected computer and 
drops another piece of malware detected as W32/Rbot-ABK.

Emails sent by the worm have the following characteristics:

Subject lines:

Hehehe LOL!!
Your Photo Is On A Webpage!!
Hey Rate My Pic Plz...
Someone admire's you!

Message text:

I just saw this on my computer from a while ago
download it and see if you can remember it
lol i was lauging like crazy when i saw it! :D
email me back hehe...

I was vieweing this website and came across
a picture they look just like you! infact im sure
it is haha , did you email this pic into them ? or
is it someonce else :S ? pic is attached
a zip so download it and check & email me back!

Hi ive sent 5 emails now and nobody will rate
my pic!! :( please download and tell me what you
think out of 10 , dont worry if you dont like it
just say i wont be offended p.s i was drunk when
it was taken :P

Someone has asked us on there behalf to send
you this email and tell you they think you are
wonderfull!!! All the The mystery persons details
you need are enclosed in the attachment :)
please download and respond telling us if you
would like to make further contact with this
person.

Regards Hallmark Admirer Mail Admin.

ZIP filename:

Download.zip

Attachment filenames within the ZIP:

Scanned_03.scr
Sexy_02.scr
IMG_001.scr
Admirer_005.scr
Photo_01.pif
Lover_01.scr
Your_Pic.scr
Just_For_You.pif

W32/Wurmark-K copies itself to the Windows system folder as "xtc.tmp", 
creates the file "wini.exe" which is detected as W32/Rbot-ABK, and 
creates the clean DLL files "ansmtp.dll" and "bszip.dll".

W32/Wurmark-K will create junk files with the following names, 
overwriting the original files if these exist:

regedit.com
taskmgr.exe
tasklist.com
taskkill.com
netstat.com
tracert.com
ping.com
cmd.com





Name   W32/Mytob-CF

Type  
    * Worm

How it spreads  
    * Email attachments

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Sends itself to email addresses found on the infected computer
    * Forges the sender's email address
    * Uses its own emailing engine

Prevalence (1-5) 2

Description
W32/Mytob-CF is a mass-mailing worm and backdoor Trojan that can be 
controlled through the Internet Relay Chat (IRC) network.

W32/Mytob-CF also modifies the HOSTS file to deny access to security 
related websites.

Advanced
W32/Mytob-CF is a mass-mailing worm and backdoor Trojan that can be 
controlled through the Internet Relay Chat (IRC) network.

When first run W32/Mytob-CF copies itself to the Windows system folder 
as 1hellbot.exe and creates the following registry entries:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HELLBOT TEST
1hellbot.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HELLBOT TEST
1hellbot.exe

W32/Mytob-CF also appends the following to the HOSTS file to deny access 
to security related websites:

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.microsoft.com

Email sent by W32/Mytob-CF has the following properties:

Subject line chosen from:

Your email account access is restricted
Notice:***Your email account will be suspended***
Notice: **Last Warning**
Security measures
*IMPORTANT* Please Validate Your Email Account
Your Email Account is Suspended For Security Reasons

Message text chosen from:

'We have suspended some of your email services, to resolve the problem 
you should read the attached document.'

'Once you have completed the form in the attached file , your account 
records will not be interrupted and will continue as normal.'

'To safeguard your email account from possible termination, please see 
the attached file.'

'Follow the instructions in the attachment.'

'Account Information Are Attached!'

'To unblock your email account acces, please see the attachment.'

The attached file consists of a base name followed by the extentions 
PIF, SCR, EXE or ZIP. The worm may optionally create double extensions 
where the first extension is DOC, TXT or HTM and the final extension is 
PIF, SCR, EXE or ZIP.

W32/Mytob-CF harvests email addresses from files on the infected 
computer and from the Windows address book.





Name   W32/Nopir-B

Type  
    * Worm

How it spreads  
    * Peer-to-peer

Affected operating systems  
    * Windows

Side effects  
    * Deletes files off the computer
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
W32/Nopir-B is a worm for the Windows platform.

W32/Nopir-B will display an anti-piracy image on the screen when run. 
The worm will then delete all COM and MP3 files from the computer. The 
worm will also disable taskmanager, registry tools, and access to the 
control panel. W32/Nopir-B will also check for debuggers and may attempt 
to disable any such software that it finds.

W32/Nopir-B copies itself to <Program Files>\Projects Visual 
Studio.NET\Nctrup.exe, <Program Files>\Restore\<random name>.exe, 
<Program Files>\eMule\Incoming\AnyDVD 5.1.0.1 Crack+Keygen By Razor.exe.

Advanced
W32/Nopir-B is a worm for the Windows platform.

W32/Nopir-B will display an anti-piracy image on the screen when run, as 
seen here:


The image displayed by the Nopir-B worm
The image displayed by the Nopir-B worm.

The worm will then delete all COM and MP3 files from the computer. The 
worm will also disable taskmanager, registry tools, and access to the 
control panel. W32/Nopir-B will also check for debuggers and may attempt 
to disable any such software that it finds.

W32/Nopir-B copies itself to <Program Files>\Projects Visual 
Studio.NET\Nctrup.exe, <Program Files>\Restore\<random name>.exe, 
<Program Files>\eMule\Incoming\AnyDVD 5.1.0.1 Crack+Keygen By Razor.exe.

W32/Nopir-B will create the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Verif
<Program Files>\Restore\<random name>.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
securw
<Program Files>\Projects Visual Studio.NET\Nctrup.exe

HKCR\exefile\Shell\open\command

<Program Files>\Projects Visual Studio.NET\Nctrup.exe

HKCR\batfile\Shell\open\command

<Program Files>\Projects Visual Studio.NET\Nctrup.exe

HKCR\comfile\Shell\open\command

<Program Files>\Projects Visual Studio.NET\Nctrup.exe

HKCR\scrfile\Shell\open\command

<Program Files>\Projects Visual Studio.NET\Nctrup.exe

HKCR\piffile\Shell\open\command

<Program Files>\Projects Visual Studio.NET\Nctrup.exe

HKCR\vbsfile\Shell\open\command

<Program Files>\Projects Visual Studio.NET\Nctrup.exe

HKCR\vbefile\Shell\open\command

<Program Files>\Projects Visual Studio.NET\Nctrup.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoControlPanel
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1





Name   W32/Mytob-BC

Type  
    * Worm

How it spreads  
    * Email attachments

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Modifies data on the computer
    * Forges the sender's email address
    * Uses its own emailing engine
    * Reduces system security

Aliases  
    * Net-Worm.Win32.Mytob.au

Prevalence (1-5) 2

Description
W32/Mytob-BC is a mass-mailing worm and IRC backdoor Trojan.

W32/Mytob-BC can harvest email addresses from files on the infected 
computer and from the Windows address book.

Emails sent by the worm have the following characteristics:

Subject line:

Notice:***Your email account will be suspended***

YOUR EMAIL ACCOUNT ACCESS IS RESTRICTED

Your Email Account is Suspended For Security Reasons

Your email account access is restricted

Notice:**Last Warning**

Email Account Suspension

*IMPORTANT* Your Account Has Been Locked

Security Measures

*IMPORTANT* PLEASE VALIDATE YOUR EMAIL ACCOUNT

&ltrandom>

Message body:

Please see the attachment.

please look at attached document.

We have suspended some of your email services, to resolve the problem 
you should read the attached document.

Once you have completed the form in the attached file , your account 
records will not be interrupted and will continue as normal.

To unblock your email account acces, please see the attachment.

To safeguard your email account from possible termination, please see 
the attached file.

Account Information Are Attached!

&ltrandom>

Advanced
W32/Mytob-BC is a mass-mailing worm and IRC backdoor Trojan.

W32/Mytob-BC can harvest email addresses from files on the infected 
computer and from the Windows address book.

Emails sent by the worm have the following characteristics:

Subject line:

Notice:***Your email account will be suspended***

YOUR EMAIL ACCOUNT ACCESS IS RESTRICTED

Your Email Account is Suspended For Security Reasons

Your email account access is restricted

Notice:**Last Warning**

Email Account Suspension

*IMPORTANT* Your Account Has Been Locked

Security Measures

*IMPORTANT* PLEASE VALIDATE YOUR EMAIL ACCOUNT

&ltrandom>

Message body:

Please see the attachment.

please look at attached document.

We have suspended some of your email services, to resolve the problem 
you should read the attached document.

Once you have completed the form in the attached file , your account 
records will not be interrupted and will continue as normal.

To unblock your email account acces, please see the attachment.

To safeguard your email account from possible termination, please see 
the attached file.

Account Information Are Attached!

&ltrandom>

When first run the worm copies itself to &ltSYSTEM>\1hellbot.exe.

The following registry entries are created to run 1hellbot.exe on 
startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HELLBOT TEST
1hellbot.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HELLBOT TEST
1hellbot.exe

The worm sets the following registry entry to reduce system security:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4

W32/Mytob-BC blocks access to security-related websites by writing the 
folllowing entries to the Windows hosts file:

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.microsoft.com





Name   Troj/LanFilt-J

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Steals information
    * Drops more malware
    * Reduces system security
    * Records keystrokes
    * Installs itself in the Registry

Aliases  
    * Backdoor.Win32.Delf.zc

Prevalence (1-5) 2

Description
Troj/LanFilt-J is a Trojan for the Windows platform.

Troj/LanFilt-J can perform the following actions:

log keystrokes
steal information
steal passwords
terminate processes
capture screen-shots and webcam images
disable the Windows XP firewall
turn off System Restore
upload and download files
hide from view by stealthing

Troj/LanFilt-J sends stolen information to a remote website.

The Trojan may drop further applications in order to steal dial-up, 
Instant Messenger and email account passwords.

Advanced
Troj/LanFilt-J is a Trojan for the Windows platform.

Troj/LanFilt-J can perform the following actions:

log keystrokes
steal information
steal passwords
terminate processes
capture screen-shots and webcam images
disable the Windows XP firewall
turn off System Restore
upload and download files
hide from view by stealthing

Troj/LanFilt-J sends stolen information to a remote website.

Troj/LanFilt-J copies itself to the Windows folder as "mshost.exe" and 
creates a DLL named "xpcore.dll" in the same folder. These files may be 
hidden from view as the Trojan is capable of stealt