Text 6, 1860 rader
Skriven 2004-10-16 18:45:00 av KURT WISMER (1:123/140)
Ärende: News, 0ct. 16 2004
==========================
[cut-n-paste from sophos.com]
Name W32/Rbot-NC
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Win32.Rbot.gen
* W32/Sdbot.worm.gen.j
Prevalence (1-5) 2
Description
W32/Rbot-NC is a network worm which contains IRC backdoor Trojan
functionality, allowing unauthorised remote access to the infected
computer.
Advanced
W32/Rbot-NC is a worm which attempts to spread to remote network shares.
It also contains backdoor Trojan functionality, allowing unauthorised
remote access to the infected computer via IRC channels while running in
the background as a service process.
W32/Rbot-NC spreads to network shares with weak passwords and via
network security exploits as a result of the backdoor Trojan element
receiving the appropriate command from a remote attacker.
W32/Rbot-NC copies itself to the Windows system folder as SCHOST.EXE and
creates entries at the following locations in the registry with the
value Generic Host Process to run itself on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
W32/Rbot-NC may attempt to sets the following registry entries:
HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM = "N"
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous = "1"
W32/Rbot-NC may attempt to delete network shares on the host computer.
Name W32/Forbot-BI
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
Aliases
* WORM_WOOTBOT.AQ
Prevalence (1-5) 2
Description
W32/Forbot-BI is an IRC backdoor Trojan and network worm for the Windows
platform.
Advanced
W32/Forbot-BI is an IRC backdoor Trojan and network worm for the Windows
platform.
In order to run automatically when Windows starts up the worm moves
itself to the Windows system folder as systemproc.exe and creates the
following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoftkeysd = "systemproc.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Microsoftkeysd = "systemproc.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsoftkeysd = "systemproc.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoftkeysd = "systemproc.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Microsoftkeysd = "systemproc.exe"
W32/Forbot-BI also creates its own service named "MicrosoftCorporations",
with the display name "Microsoftkeysd".
Once installed, W32/Forbot-BI connects to a preconfigured IRC server and
joins a channel from which an attacker can issue further commands. These
commands can cause the infected machine to perform any of the following
actions:
flood a remote host (by either ping or HTTP)
start a SOCKS4 proxy server
start an HTTP server
start an FTP server
portscan randomly chosen IP addresses
execute arbitrary commands
steal information such as passwords and product keys
upload/download files
The worm can spread to unpatched machines affected by the LSASS
vulnerability (see MS04-011) and through backdoors left open by the
Troj/Optix family of Trojans.
Name W32/Traxg-B
Type
* Worm
How it spreads
* Email messages
Affected operating systems
* Windows
Side effects
* Sends itself to email addresses found on the infected computer
* Modifies data on the computer
* Installs itself in the Registry
Aliases
* WORM_VB.F
Prevalence (1-5) 2
Description
W32/Traxg-B is a worm that attempts to spread using Microsoft Outlook.
W32/Traxg-B may create the file C:\folder.htt. This file may be deleted.
Advanced
W32/Traxg-B is a worm that attempts to spread using Microsoft Outlook.
W32/Traxg-B copies itself to several locations using randomly generated
filenames and creates the following registry entry in order to run on
Windows startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TempCom
W32/Traxg-B may set the following registry entries in order to modify
the behaviour of Windows Explorer:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Hidden = 0
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
HideFileExt = 1
W32/Traxg-B may create the file c:\folder.htt. This file may be deleted.
Name W32/Sdbot-QH
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Drops more malware
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
Aliases
* Backdoor.Win32.Rbot.gen
Prevalence (1-5) 2
Description
W32/Sdbot-QH is a network worm with backdoor functionality for the
Windows 2000 and Windows XP platforms.
W32/Sdbot-QH spreads to network shares with weak passwords and by
exploiting the LSASS and DCOM security vulnerabilities as a result of
the backdoor Trojan element receiving the appropriate command from a
remote user through an IRC channel.
Advanced
W32/Sdbot-QH is a network worm with backdoor functionality for the
Windows 2000 and Windows XP platforms.
W32/Sdbot-QH spreads to network shares with weak passwords and by
exploiting the LSASS and DCOM security vulnerabilities as a result of
the backdoor Trojan element receiving the appropriate command from a
remote user through an IRC channel.
When excuted W32/Sdbot-QH copies itself to the Windows system folder
with the filename msfirewall.exe and, in order to run automatically when
Windows starts up, sets the following registry entries with the path to
the copy:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MS FIREWALL
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\MS FIREWALL
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MS FIREWALL
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices\MS FIREWALL
As a part of its payload W32/Sdbot-QH attempts to delete network shares
on the host computer and values of the following registry entries:
HKLM\SYSTEM\CurrentControlSet\Services\Share\Start
HKLM\SYSTEM\CurrentControlSet\Services\wuaus\Start
HKLM\SYSTEM\CurrentControlSet\Services\wscsv\Start
W32/Sdbot-QH drops a file called MSDIRECTX.SYS to the current folder
which is detected as Troj/NtRootK-F.
W32/Sdbot-QH runs this file as a Kernel Driver called MSDIRECTX in order
hide itself from certain monitoring programs, including Task Manager.
Name W32/Netsky-AD
Type
* Worm
How it spreads
* Email attachments
* Network shares
Affected operating systems
* Windows
Side effects
* Sends itself to email addresses found on the infected computer
* Forges the sender's email address
* Uses its own emailing engine
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Netsky-AD is a worm that spreads by email and Windows network
shares.
Advanced
W32/Netsky-AD is a worm that spreads by email and Windows network
shares.
When run the worm copies itself to the Windows folder as MsnMsgrs.exe
and creates the following registry entry so as to auto-start on computer
reboot:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
MsnMsgr = %WINDOWS%\MsnMsgrs.exe -alev
W32/Netsky-AD searches all mapped drives for files with the following
extensions in order to find email adresses:
SCS, OFT, SHT, DBX, TBB, ADB, DOC, WAB, ASP, UIN, RTF, VBS, HTML, HTM,
PL, PHP, TXT and EML
The worm will also attempt to copy itself to folders containing the
words 'share' and 'sharing' on local drives using the following
filenames:
vota!.zip.scr
aninha gatinha!.zip.scr
importante!!!!!.zip.scr
minhavida!.zip.exe
comoserrico!.zip.scr
vida!!.zip.scr
receitas de bolo!!.zip.scr
celulares!!.zip.scr
clica ai logo meu.scr
rede globo tv!.zip.scr
rocha.scr
paula!.scr
Carnaval em Salvador!!.zip.scr
vadias peladas!!.scr
cafe!!.zip.scr
traficoemSP!.scr
MulataDandoOcujpg.scr
multas.pif
caspa.scr
barrio.scr
ResidentEvil2.zip.scr
puteiros!!.scr
Canaval2004!.jpg.pif
VivaNaBaia!.scr
W32/Netsky-AD may arrive in an email with the following characteristics
Subject line: (randomly chosen from)
:)
morto
Sua saude esta bem?
pescaria por kilo
massas!
impressao!!
robos!
diga
agradou
Message text: (randomly chosen from)
me veja peladinha
gostaria disso e voce???
algo a mais
falea verdade!!!
ganhe muita grana
campanhadafome
pq nao me liga??
sinto voce!!
grana
Lembra?
amor me liga
Hackers do Brasil
Medical Labs Exames!!!
meu telefone liga
ferias nos E.U.A
Surto :(
Vacina contra o HIV!!
sua conta bancaria zerada
olha que isso!!!
parabens!
te amo!
Policia SP
Sua Conta!!
Boleto Pague
veja o que tem no zip e me liga
receitas de bolo!!
acrdito que em voce!!!
promocao de viajens de fim de ano
tudo sobre voce sabe
Proposta de emprego!!
estou doente veja!!!
me diz o queacha?
retorna logo isso!!
arquivo zipado PGP???
voce passou :D!!!
ve ai logo ta
AMA!
AmaVoce
Abra rapido isso!!!!
reza de sao tome!!!!.
veja detalhes!!!.
encontro voce!
preenche ai ta bom
PizzaVeneza!
Attached file: (one of the following randomly chosen names with a double
file extension)
AninhaPutinha +55operado6992292246
vaca
tetas
war3!
AIDS!
grana
banco!
revista
lulao!
imposto
jogo!
loterias
vips!
missao
vadias!
email
flipe
botao
sampa!!
contas!!
zerado
:(
criancas!
brasil!
lantrocidade
aqui
docs
festa!!
LINUSTOR
bingos!
agua!
:D
sorteado!!
grana!!
dinheiro!!
carros!
voce
:-)
???
circular
The extension is a combination of TXT, DOC, RTF, HTM, PIF, COM, SCR and
BAT.
The file inside the archive will have identical name but a different,
usually double, executable file extension (e.g doc.exe).
When the file is extracted and opened the virus displays the message box
"File Corrupted replace this!!".
Name W32/Bagz-B
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Sends itself to email addresses found on the infected computer
* Forges the sender's email address
* Uses its own emailing engine
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* I-Worm.Bagz.b
* W32/Bagz.b@MM
Prevalence (1-5) 2
Description
W32/Bagz-B is mass mailing network worm. It also contains a backdoor
which allows an intruder to instruct it to download and install further
components.
W32/Bagz-B may also try to disable the Windows default firewall on
startup.
W32/Bagz-B will attempt to harvest email addresses from the "Document
and setting" folder on the local machine with names such as *.txt,
*.htm, *.htm, *,dbx, *.tbi, *.tbb.
Advanced
The email it sends will contain an attachment either in ZIP format or in
a binary file. It will contain the following subject lines:
"last request before refunding"
"re: user id update"
"fwd: your funds are eligible for withdrawal"
"find a solution with this customer"
"no subject"
"re: help desk registration"
"failure notice"
"fwd: password"
"when should i call you?"
"re: re: a question"
"knowledge base article"
"open invoices"
"returned mail: see transcript for details"
"building maintenance"
"[fwd: broken link]"
"winxp"
"troubles are back again"
"questions"
"order approval"
"units available"
"progress news"
"big announcements"
"need help pls"
"you have recieved an ecard!"
"what is this ????"
"deactivation notice"
"message recieved, please confirm"
"my funny stories"
"cost inquiry"
"re: payment"
"referrences"
"webmail invite"
"re: quote request"
Attachments can use the following names:
arch.doc<spaces>.exe
arch.zip
archive.doc<spaces>.exe
archive.zip
atach.doc<spaces>.exe
atach.zip
att.doc<spaces>.exe
att.zip
contact.doc<spaces>.exe
contact.zip
db.doc<spaces>.exe
db.zip
dl.exe
doc.doc<spaces>.exe
doc.zip
documents.doc<spaces>.exe
documents.zip
file.doc<spaces>.exe
file.zip
ipdb.dll
jobdb.dll
mail.doc<spaces>.exe
mail.zip
message.doc<spaces>.exe
message.zip
messages.doc<spaces>.exe
messages.zip
msg.doc<spaces>.exe
msg.zip
read.doc<spaces>.exe
read.zip
readme.doc<spaces>.exe
readme.zip
support.doc<spaces>.exe
support.zip
syslogin.exe
tutorial.doc<spaces>.exe
warning.doc<spaces>.exe
warning.zip
W32/Bagz-B will keep a copy of the above files in the folder %system32%.
Other than the above, it will also drop the following components:
%system32%/dl.exe
%system32%/syslogin.exe
%system32%/ipdb.dll
%system32%/jobdb.dll
And also create the following autorun registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
syslogin.exe = syslogin.exe
Name W32/Sdbot-QF
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Win32.Wootbot.gen
* WORM_WOOTBOT.BB
* W32/Sdbot.worm.gen.h
Prevalence (1-5) 2
Description
W32/Sdbot-QF is a worm with backdoor functionality for the Windows
platform that targets local network shares and allows a malicious user
remote access to an infected computer.
Advanced
W32/Sdbot-QF is a worm with backdoor functionality for the Windows
platform that targets local network shares and allows a malicious user
remote access to an infected computer.
When executed W32/Sdbot-QF copies itself to the Windows system folder
with the filename service.exe and in order to run automatically when
Windows starts up creates the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Win32 USB2.0 Driver
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\Win32 USB2. Driver
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
\Win32 USB2.0 Driver
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Win32 USB2.0 Driver
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\Win32 USB2.0 Driver
with the path to the copy.
W32/Sdbot-QF spreads to other computers by exploiting the LSASS
vulnerability. For more information about this vulnerability see
MS04-011.
As part of the payload W32/Sdbot-QF steals the CD keys from a number of
popular games, may delete netshares and function as a proxy Trojan.
Name W32/Apribot-C
Type
* Worm
How it spreads
* Email attachments
* Web downloads
* Chat programs
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Modifies data on the computer
* Deletes files off the computer
* Steals information
Aliases
* Backdoor.IRCBot.gen
Prevalence (1-5) 2
Description
W32/Apribot-C is an IRC backdoor with spreading capability.
Each time the worm is run it tries to connect to a remote IRC server and
join a specific channel. The backdoor component then runs in the
background as a server process, listening for commands to execute. The
infected computer can be used to perform several functions:
Advanced
W32/Apribot-C is an IRC backdoor with spreading capability.
Each time the worm is run it tries to connect to a remote IRC server and
join a specific channel. The backdoor component then runs in the
background as a server process, listening for commands to execute. The
infected computer can be used to perform any of the following functions:
* Proxy server (SOCKS4)
* FTP server
* SMTP server
* File system Manipulation
* Port scanner
* DDoS floods (TCP,UDP,SYN)
* Remote shell (RLOGIN)
* Key logger
When first run the worm copies itself to the Windows System folder under
a randomly generated name. The copy may have some random data appended
to it. In order for the copy to be run on startup, registry entries are
created under random names in the following locations:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
The worm chooses from one or two of the following strings to form the
filename:
SERV
DISK
STAT
LOAD
INI
SCAN
INIT
SRV
DSK
CONF
CFG
MON
DLL
VXD
CHK
REG
DRV
WIN
SYS
Stat
Load
Scan
Init
Service
Disk
Config
Monitor
Check
Reg
Drive
Win
System
The following entry is also created:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
Shell = "Explorer.exe,[filename] -shell"
Many additional registry entries may be created, changed or deleted. In
particular, many entries are created in the following registry
locations:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\
DisableRegistryTools
HKLM\SOFTWARE\Microsoft\Connect\
The following entries are set:
HKLM\SYSTEM\ControlSet001\Control\Lsa\restrictanonymous = 1
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous = 1
W32/Apribot-C may also attempt to disable debugging and firewall
software.
The worm appends several lines to the HOSTS file, found in the
drivers\etc subfolder of the Windows System folder. Each line consists
of a randomly chosen IP address beginning with "127" and a web address.
The worm appends this data in order to prevent access to a number of
anti-virus and Microsoft web sites.
Name W32/Funner-A
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Modifies data on the computer
* Installs itself in the Registry
Aliases
* MSN-Worm.Funner
* W32/Funner.worm
* WORM_FUNNER.A
Prevalence (1-5) 2
Description
W32/Funner-A is a worm for the Windows platform that targets the MSN
Messenger application.
Advanced
W32/Funner-A is a worm for the Windows platform that targets the MSN
Messenger application.
When executed W32/Funner-A copies itself to the Windows folder with the
filename rundll32.exe and to the Windows system folder with the
filenames explorer.exe, iexplore.exe and userinit32.exe. In order to run
automatically when Windows starts up the worm sets the following
registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
MMSystem =
<Windows>\rundll32.exe \" <Windows>\<system>\mmsystem.dll\"\", RunDll32
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
Userinit =
<Windows>\<system>\userinit32.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
MMSystem =
<Windows>\rundll32.exe \"<Windows>\<system>\mmsystem.dll\"\", RunDll32
Also W32/Funner-A may change system.ini by adding the path to
EXPLORER.EXE to the "Shell=" line.
As a part of its payload W32/Funner-A appends the original HOSTS file
with one that contains the following list of URLs redirected to the
222.89.98.219 IP address thus restricting access to these sites:
"www.cmfu.com"
"9i0.com"
"www.9flash.com"
"9flash.com"
"www.nowok.net"
"nowok.net"
"wisa.com.cn"
"www.sia.com.cn"
"www.wisa.cn"
"wisa.cn"
"www.zhao99.com"
"zhao99.com"
"www.wo123.com"
"wo123.com"
"wo99.com"
"www.wo99.com"
"www.page.com.cn"
"page.com.cn"
"wysw.com"
"14.com.cn"
"www.14.com.cn"
"cnww.net"
"www.mv99.com"
"mv99.com"
"www.youav.com"
"www.mtvav.com"
"3tom.com"
"www.114.com.cn"
"www.net114.com"
"www.skywz.com"
"skywz.com"
"www.hao6.com"
"hao6.com"
"www.678a.com"
"www.zzkan.com"
"zzkan.com"
"www.ca183.com"
"ca183.com"
"www.yhjm.com"
"yhjm.com"
"www.k369.com"
"www.xxwww.com"
"xxwww.com"
"www.fm1000.net"
"www.ok135.com"
"ok135.com"
"www.link999.com"
"link999.com"
"www.001wz.com"
"001wz.com"
"www.7t7t.com"
"7t7t.com"
"www.7k7k.com"
"7k7k.com"
"www.webcool.net"
"webcool.net"
"www.51sobu.com"
"51sobu.com"
"cy.51sobu.com"
"www.fj3721.com"
"www.msncn.com"
"msncn.com"
"www.8goo.com"
"8goo.com"
"www.baimin.com"
"baimin.com"
"www.bwwz.com"
"bwwz.com"
"www.howow.net"
"howow.net"
"www.tongchi.com"
"tongchi.com"
"www.7o7o.com"
"7o7o.com"
"www.wangzhiku.com"
"wangzhiku.com"
"www.soyeah.com"
"soyeah.com"
"www.sowang.cn"
"sowang.cn"
"www.look8.net"
"look8.net"
"www.v222.com"
"www.wblink.com"
"wblink.com"
"www.daguilin.com"
"www.365.com"
"daguilin.com"
"www.soulang.com"
"soulang.com"
"www.369e.com"
"www.kuwz.com"
"kuwz.com"
"www.6cn.com"
"6cn.com"
"www.wyly.cn.gs"
"wyly.cn.gs"
"www.xhoo.net"
"xhoo.net"
"www.qoomo.com"
"www.4sohu.com"
"www.top777.com"
"top777.com"
"www.suoyou.com"
"suoyou.com"
"www.dlren.com"
"dlren.com"
"www.cityshe.com"
"www.hao100.com"
"hao100.com"
"www.11wz.com"
"11wz.com"
"www.bszcx.com"
"www.12so.com"
"12so.com"
"www.wguo.com"
"wguo.com"
"www.ku8.com"
"ku8.com"
"www.5i55.com"
"www.dlwz.net"
"dlwz.net"
"www.etidc.net"
"etidc.net"
"www.eaol.net"
"eaol.net"
"wz.dabaoku.com"
"dabaoku.com"
"www.dabaoku.com"
"info.west263.com"
"west263.com"
"www.west263.com"
"www.urlall.com"
"urlall.com"
"www.wacn.cn"
"wacn.cn"
"www.uhot.net"
"uhot.net"
"www.lywww.com"
"lywww.com"
"tj8.aofa.cn"
"www.ddvv.cn"
"www.husou.com"
"www.postonline.com.cn"
"www.114hi.net"
"www.huiche.com"
"www.cnhttp.net"
"www.wang100.com"
"www.xntt.com"
"www.wuhanlink.com"
"www.xzcn.com"
"www.chi9.net"
"url.114.com.cn"
"www.zhao114.com"
"www.zpartner.com"
"www.cckey.cn"
"www.gege.com.cn"
"www.86wz.com"
"www.91wz.com"
"www.888wz.com"
"web.365ye.com"
"www.kps.cn"
"www.gouhot.com"
"www.123k.com"
"www.jywin.com"
"www.zbwz.com"
"www.soko.cn"
"94wo.com"
"www.qeoo.com"
"www.myweb.cn"
"www.hflash.com"
"www.x63.com"
"www.hky5.com"
"www.qyj.cn"
"www.hao321.cn"
"es.xmew.com"
"www.sohu123.com"
"cxhuu.nease.net"
"www.5e5e.net"
"www.hao868.com"
"www.kunmei.com"
"www.hao55.com"
"www.qqkkaa.com"
"www.mpsoft.net"
"www.51rm.com"
"www.emode.cn"
"www.xowz.com"
"www.v23.com"
"www.xiaoyouxi.com"
"www.zhao58.com"
"www.sqw.cn"
"www.293.net"
"www.wo20.com"
"www.l66.net"
"link.coolala.net"
"www.v339.com"
"www.zdzh.com"
"www.222cn.com"
"www.sowang.com"
"www.mypcera.com"
"www.hkball.net"
"www.ocn.cn"
"www.qqxxx.net"
"www.hao789.com"
"www.haohu.net"
"www.v234.com"
"www.lelew.com"
"www.bx169.com"
"www.k958.com"
"www.qianmail.com"
"www.google114.com"
"www.456.net"
"www.kkklll.com"
"www.cnurl.cn.st"
"wz.shcoo.com"
"www.seekchina.com"
"www.qqboy.net"
"www.ok1500.com"
"www.zhao163.net"
"www.liveinby.com"
"wz.sundx.com"
"soe.amoyren.com"
"www.9sou.com"
"www.linan.net"
"www.dabaisha.com"
"www.ezhongren.com"
"8u8.com"
"www.niyou.com"
"www.cpzx.cn"
"www.bbpig.com"
"www.web222.com"
"www.hao126.com"
"www.yofoo.com"
"www.dodo100.com"
"www.369w.net"
"wz.m118.com"
"www.joyo.net.tf"
"netzj.cnbv.net"
"guide.tzinfo.net"
"www.ec365.net"
"www.yingcheng.net"
"www.92l.com"
"www.hao128.com"
"www.gdfxzx.com"
"www.hulian.com"
"xmt.agreatserver.com"
"www.xc123.com"
"www.cz66.com"
"go.sunff.com"
"www.chinac2c.cn"
"www.023web.com"
"www.lwtwjh.com"
"www.jibest.com"
"www.wopiao.com"
"www.ie123.com"
"twys.x168.net"
"url.fengqiu.cn"
"wangzhi.dkwx.com"
"www.cnje.net"
"www.cnpick.com"
"www.zpjh.com"
"www.mhyf.com"
"www.haoso.com"
"www.wz160.com"
"www.98w.net"
"www.80dh.com"
"www.sj166.com"
"www.52so.com"
"www.haozi.net"
"www.39cn.com"
"www.jv168.com"
"www.dog3721.com"
"www.3000ok.com"
"www.k3k4.com"
"www.028www.com"
"www.bjav.com"
"www.abkk.com"
"www.c888.com"
"web.jpwy.net"
"www.zszk.net"
"www.9china.cn.st"
"www.renma.net"
"www.fs0757.com"
"www.ku123.com"
"www.quhu.com"
"www.iq123.com"
"www.szci.com"
"www.cd200.com"
"www.5cha.com"
"www.qq83.com"
"www.qiye1.com"
"www.ganyu-window.com"
"www.senovo.com"
"www.my818.net"
"www.jcwz.com"
"www.haisanya.com"
"www.kk369.com"
"www.dtxj.com"
"www.kelove.com"
"www.k383.com"
"www.goo123.com"
"www.258.com"
"www.actoz.net"
"www.hao263.com"
"www.365url.com"
"www.shei.com"
"www.wqsj.com"
"www.newbe.net"
"www.qqq9.com"
"www.01wz.com"
"www.51com.net"
"www.chinaxajh.net"
"www.baidu.org"
"www.913w.com"
"www.wz100.net"
"www.hcwz.net"
"www.52gp.net"
"www.yepian.com"
"www.shuxi.com"
"hi.52l.com"
"www.huoe.com"
"www.ngwave.com"
"www.com886.com"
"www.35hao.com"
"www.9g8.com"
"www.158ok.com"
"www.mfsky.com"
"www.chnow.net"
"www.mxzc.com"
"www.bao123.net"
"www.bizcn.com"
"www.8007.com.cn"
"www.wenxue123.com"
"www.connexone.com"
"www.7can.com"
"www.cc7.cn"
"dh.ovoe.com"
"www.3lian.net"
"www.s222.com"
"www.cccweb.cn"
"www.yi76.com"
"www.qu123.com"
"www.my8888.com"
"www.zdao.net"
"www.china320.com"
"www.3w3w.net"
"www.gigi.cn"
"www.91so.com"
"www.789.com.cn"
"www.wwvww.com"
"www.yukz.com"
"www.52css.com"
"www.wwwz.net"
"www.hslz.com"
"www.xingduo.com"
"www.hao8.cn"
"www.xinren.com.cn"
"website.bigwww.com"
"www.bigwww.com"
"www.qingdaonews.com"
"www.luosoft.com"
"www.tt111.com"
"www.cq6.com"
"www.0791www.com"
"www.zhfm.com"
"www.ni123.com"
"www.xgmm.com"
"www.cool3721.com"
"www.yt188.com"
"www.kuzhan.net"
"www.fj.cn"
"www.qi123.com"
"www.8zhi.com"
"www.lydjp.com"
"www.cnwzk.net"
"www.168webs.com"
"www.huan8.com"
"www.fjsw.net"
"www.ievv.com"
"www.tt588.com"
"www.21red.net"
"21red.net"
"woo365.woocn.com"
"www.woocn.com"
"www.4f.cc"
"www.chinacts.com"
"www.517sc.com"
"www.gameslife.net"
"ya12.com"
"www.139cn.com"
"search.114.com.cn"
"www.jsurl.com"
"www.verysearch.com"
"www.fm520.com"
"www.haowz.com"
"www.hzs.cn"
"www.gjj.cc"
"www.zw88.com"
"hao12.net"
"www.hao12.net"
"www.ya12.com"
"ha12.com"
"www.ha12.com"
"cn.wu123.com"
"www.qqwz.com"
"www.yetcn.com"
"www.wzdq.net"
"www.001.com.cn"
"www.bbs.net"
"www.21eee.com"
"www.chinasee.com"
"www.chinasee.net"
"www.ai88.net"
"www.haoabc.com"
"www.baidu3.com"
"www.shareshow.com"
"www.anli.net"
"www.9good.com"
"www.c201.com"
"www.baidu2.com"
"www.kk99.com"
"www.k666.com"
"www.cidu.net"
"www.xmok.com"
"www.900du.com"
"www.happy8.cn"
"www.w3ww.net"
"www.520day.com"
"www.88qq.com"
"www.qqtt.com"
"www.sl520.com"
"www.32e.com"
"www.gjjc.com"
"www.265cn.com"
"www.ec35.com"
"www.55wz.com"
"www.ggxx.net"
"www.51link.com"
"www.xicu.com"
"www.uu163.com"
"www.zhss.com"
"www.kv100.com"
"www.1000www.com"
"www.3ku.cn"
"www.wu5.com"
"www.qq125.com"
"www.come114.com"
"www.ziyue.com"
"www.junwang-china.com"
"www.dzdy.com"
"www.film21cn.com"
"movies.v111.com"
"www.movie001.com"
"vod.hengshui.com"
"www.cnfilm.com"
"cinema.tyfo.com"
"www.xkqq.com"
"www.seemovie.net"
"www.efsms.com"
"www.kanvcd.com"
"www.52movie.com"
"www.dianying.com"
"www.xk88.com"
"www.filmcn.com"
"www.aizb.com"
"www.look163.com"
"www.ohfilm.com"
"www.51seeing.com"
"www.kkdu.com"
"www.vod588.com"
"www.mfdy.net"
"www.16mp3.com"
"www.juedui.com"
"www.freefilm.cn"
"www.v110.com"
"www.tvvcd.com"
"www.21play.com"
"www.kooya.net"
"vod.chinabzl.com"
"www.x520x.com"
"www.netbooksir.com"
"wenxue.myrice.com"
"wenxue.xilu.com"
"www.rongshuxia.com"
"wind.yinsha.com"
"www.chinamp3.com"
"www.sogua.com"
"www.yy138.com"
"www.loveproxy.com"
"www.ucanlove.com"
"www.zzlady.com"
"www.wemarried.com"
"www.yeeyoo.com"
"www.uume.com"
"www.you2you.com"
"www.gycity.com"
"www.cococ.com"
"www.7xi.net"
"www.cnmusic.com"
"www.yyfc.com"
"www.xkmm.com"
"www.iq888.com"
"www.mtvyy.com"
"www.mp88.com"
"www.zhao5.com"
"www.qq500.com"
"www.tn27.com"
"www.vod99.com"
"v.ilovex.net"
"www.vovoo.com"
"www.pic163.com"
"www.911mm.cn"
"www.haha668.com"
"www.bt001.com"
"www.tu520.com"
"www.pic21.net"
"www.bbtav.com"
"www.517tg.net"
"www.newsw.net"
"www.100dy.com"
"www.fm830.net"
"www.oicqie.com"
"qq163.com"
"www.fm930.net"
"www.tn16.com"
"www.mayshop.com"
"www.kk1688.com"
"v.eband.com.cn"
"www.so8a.com"
"www.5iav.com"
"www.dodofilm.com"
"www.tkfilm.com"
"www.wg818.com"
"www.longdvd.com"
"www.eailv.com"
"www.18up.com.cn"
"www.51happy.com.cn"
"www.aimaiti.com"
"www.7cv.com"
"www.sex-sky.net"
"www.51sex.com.cn"
"www.sh-yem.com"
"www.kx8163.com"
"www.lybaile.com"
"www.xingfuquan.com"
"www.mmbee.net"
"www.5910.com.cn"
"www.88ty.com"
"www.to68.com"
"www.sbeijing.com"
"www.sex-xf.com"
"www.aichaohong.com"
"www.xm18.com"
"www.cydchina.com"
"www.ld28.com"
"www.18it.com"
"www.52romeo.com"
"www.7caihong.com"
"www.bjxinglv.com"
"wg999.com"
"www.shile.net"
"www.gxcr.com"
"www.wl51.com"
"www.lnydy.com"
"www.2hao.net"
"www.totola.com"
"www.tvliao.com"
"www.sjliao.com"
"www.ginhoo.com"
"www.loveinhere.com"
"www.loveliao.com"
"www.meuu.com"
"www.qq6000.com"
"www.fx120.net"
"www.9see.com"
"www.98rm.com"
"www.suiyuan.name"
"www.hao513.com"
"www.hxjh.net"
"www.ylpj.com"
"www.5i2.com"
"www.heliao.com"
"www.t987.net"
"wo365.com"
"www.xk99.com"
"xk99.com"
"yymp3.com"
"520music.com"
"da123.com"
"www.v111.com"
"www.zhao123.com"
"www.z163.com"
"www.bihao.com"
"www.haoyy.com"
"www.qq32.com"
"www.wenxuecity.com"
"www.shangdu.net"
"www.haohz.com"
"www.shopping7.org"
"www.99bb.com"
"www.sexushost.com"
"www.ting88.com"
"www.88uu.com"
"www.yiwubag.com"
"www.sexhu.com"
"www.mtv99.com"
"www.hao138.com"
"www.jjwxc.net"
"www.pmsky.com"
"www.1ting.com"
"www.qq12.com"
"99bbs.com"
"www.99bbs.com"
"bbs.99bbs.com"
"www.666d.com"
"www.zpzz.com"
"www.xdao.com"
"webspacecn.com"
"www.v61.net"
"book.haodx.com"
"www.214g.com"
"www.a263.com"
"hung-ya.com"
"21pk.com"
"518sex.net"
"666ccc.com"
"aisex.com"
"91look.com"
"dydy.iskydown.com"
"www.zyew.com"
"www.33uu.com"
"www.showqq.com"
"www.g3g4.com"
"www.178ya.com"
"www.88tv.net"
"www.58q.com"
"www.fjwz.com"
"www.ok520.com"
"bbs.morok.net"
"www.morok.net"
"www.coke163.com"
"www.mtv68.com"
"www.hao222.net"
"www.hao222.com"
"www.rmbchina.com"
"www.qq6.cn"
"www.94look.com"
"www.h2006.com"
"www.1717kan.com"
"www.crwx.net"
"www.21pk.com"
"www.gameswg.com"
"www.qq230.net"
"www.15kan.com"
"www.qq36.com"
"www.djfilm.com"
"www.hao168.com"
"www.17bao.com"
"www.225.com.cn"
"www.025ma.com"
"www.kanfilm.com"
"www.mm8.cn"
"www.japansky.net"
"vod.chinasee.net"
"www.ftpok.com"
"www.mtv888.com"
"www.mtvccc.com"
"www.51k6.com"
"www.mm80.com"
"www.huole.com"
"www.avgod.com"
"www.wethk.com"
"www.999rave.com"
"www.999bobo.com"
"www.999cartoon.com"
"www.sexshu.com"
"www.999hotgirl.com"
"www.999real.com"
"www.51dd.com"
"www.xxbooks.com"
"www.518sex.net"
"www.sohu123.net"
"www.wg999.com"
"www.17ez.com"
"www.92game.com"
"www.cnoicq.net"
"www.wu123.com"
"www.88gg.com"
"www.00vv.com"
"v.chiqing.com "
"www.oicq88.com"
"www.5lover.com"
"www.wgyy.com"
"www.jpwx.com"
"www.7j.cn"
"www.xxxpanda.com"
"www.postadult.com"
"www.avvcd.com"
"www.Hung-ya.com"
"www.onlypost.com"
"www.Hell-angel.com"
"www.xxgirls.net"
"www.3xbbs.com"
"www.sexy-books.com"
"www.xxstory.net"
"www.h2004.com"
"www.no1vod.com"
"www.ccfilm.com"
"www.xgfilm.com"
"www.lhfilm.com"
"www.qq163.net"
"www.goodwww.com"
"bbs.cnxp.com"
"bt.cnxp.com"
"www.139mm.com"
"www.qq78.com"
"www.gaoshou.net"
"www.yingku.com"
"www.flash51.com"
"www.woogood.com"
"www.cnxp.com"
"www.musicfbi.com"
"www.9i0.com"
"www.btchina.net"
"www.x365x.net"
"www.x365x.com"
"www.5isex.com"
"www.yes-movies.com"
"www.link8.com"
"www.da123.com"
"www.best161.com"
"www.99music.net"
"www.btbbt.com"
"www.520music.com"
"www.91look.net"
"www.91look.com"
"www.aisex.com"
"www.qq163.com"
"www.33mp3.com"
"www.20jack.com"
"www.18jack.com"
"www.cnxxx.com"
"www.18-girl.net"
"www.cococn.com"
"www.365ww.com"
"www.klyy.net"
"www.sunmovie.net"
"www.topdy.com"
"www.qq001.com"
"www.free-movie.org"
"www.tk4479.com"
"www.cct5.com"
"www.kan5.com"
"www.kan51.com"
"www.movie4.com"
"www.vodfans.com"
"www.fhvcd.com"
"www.wysw.com"
"www.t3j4.com"
"www.kan123.com"
"www.chinavbar.com"
"www.ttjj.com"
"www.cnww.net"
"www.haodx.com"
"www.66vv.net"
"www.3tom.com"
"www.vv66.net"
"www.dj99.com"
"www.tt78.com"
"www.6y.cn"
"www.yymp3.com"
"www.99music.com"
"www.5music.org"
"www.qq230.com"
"www.666ccc.com"
"www.666e.com"
"www.qq530.com"
"www.vv66.com"
"www.dj99.net"
Name W32/Snoop-A
Type
* Worm
How it spreads
* Email attachments
* Peer-to-peer
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
* Leaves non-infected files on computer
Prevalence (1-5) 2
Description
W32/Snoop-A is a worm for the Windows platform.
Advanced
W32/Snoop-A is a worm for the Windows platform.
In order to run on system start, W32/Snoop-A creates the following
registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Shockwave = <path to EXE>
W32/Snoop-A may create several copies of itself into commonly shared
folders within peer to peer applications such as:
Kazaa
BearShare
Grokster
EDonkey2000
Morpheus
The worm may also attempt to send email with a copy of itself as an
attachment.
Name W32/Forbot-BD
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Deletes files off the computer
* Steals information
* Reduces system security
* Installs itself in the Registry
Aliases
* Backdoor.Win32.Wootbot.gen
Prevalence (1-5) 2
Description
W32/Forbot-BD is a network worm with backdoor Trojan functionality.
The worm runs continuously in the background providing backdoor access
to the infected computer.
W32/Forbot-BD spreads through network shares and by exploiting the LSASS
(MS04-011) software vulnerability. The Trojan may also spread through
backdoors left open by other malware.
Advanced
W32/Forbot-BD is a network worm with backdoor Trojan functionality.
W32/Forbot-BD spreads through network shares and by exploiting the LSASS
(MS04-011) software vulnerability. The Trojan may also spread through
backdoors left open by other malware.
When first run, W32/Forbot-BD copies itself to the Windows System folder
as MSMSGS.EXE. In order to run automatically each time Windows is
started, W32/Forbot-BD sets the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Messenger = msmsgs.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Windows Messenger = msmsgs.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Windows Messenger = msmsgs.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Messenger = msmsgs.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Windows Messenger = msmsgs.exe
W32/Forbot-BD creates a service named "Windows Messenger" with
the display name "Windows Messenger".
The worm runs continuously in the background providing backdoor access
to the infected computer through IRC channels.
The backdoor component of W32/Forbot-BD can be used to:
start an FTP server.
delete network shares.
start a SOCKS4, SOCKS5, HTTP, TCP and GRE proxy.
list and stop existing processes and services.
download, run and delete files.
modify the registry.
add and delete services.
steal the product keys of popular games and applications.
scan other computers for open ports and attempt to exploit them.
take part in distributed denial of service (DDOS) attacks.
flush the DNS cache.
logoff, reboot and shut down the computer.
W32/Forbot-BD may delete the ADMIN$, IPC$, C$ and D$ network shares.
W32/Forbot-BD is capable of stealing product keys from the following
games and applications:
AOL Instant Messenger
Yahoo Pager
.NET Messenger Service
Microsoft Windows Product ID
Counter-Strike
The Gladiators
Gunman Chronicles
Half-Life
Industry Giant 2
Unreal Tournament 2003
Unreal Tournament 2004
IGI 2: Covert Strike
Freedom Force
Battlefield 1942
Battlefield 1942 (Road To Rome)
Battlefield 1942 (Secret Weapons of WWII)
Battlefield Vietnam
Black and White
Command and Conquer: Tiberian Sun
Command and Conquer: Red Alert 2
Command and Conquer: Generals (Zero Hour)
Command and Conquer: Generals
James Bond 007: Nightfire
Global Operations
Medal of Honor: Allied Assault
Medal of Honor: Allied Assault: Breakthrough
Medal of Honor: Allied Assault: Spearhead
Need For Speed Hot Pursuit 2
Need For Speed: Underground
Shogun: Total War: Warlord Edition
FIFA 2002
FIFA 2003
NHL 2002
NHL 2003
Nascar Racing 2002
Nascar Racing 2003
Rainbow Six III RavenShield
Hidden & Dangerous 2
Soldiers Of Anarchy
Soldier of Fortune II - Double Helix
Call of Duty
Neverwinter Nights
W32/Forbot-BD may alter the following registry entries in order to
enable/disable DCOM:
HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM
W32/Forbot-BD will attempt to disable other malware, such as members of
the W32/Bagle family.
Name W32/Forbot-AZ
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Reduces system security
* Installs itself in the Registry
* Used in DOS attacks
Aliases
* WORM_WOOTBOT.GEN
Prevalence (1-5) 2
Description
W32/Forbot-AZ is a worm which attempts to spread to remote network
shares. It also contains backdoor Trojan functionality, allowing
unauthorised remote access to the infected computer via IRC channels
while running in the background as a service process
Advanced
W32/Forbot-AZ is a worm which attempts to spread to remote network
shares. It also contains backdoor Trojan functionality, allowing
unauthorised remote access to the infected computer via IRC channels
while running in the background as a service process.
W32/Forbot-AZ copies itself to the Windows system folder as
syshelped.exe and creates entries in the registry at the following
locations so as to run itself on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
MicrosoftUpdates = syshelped.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\
MicrosoftUpdates = syshelped.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
MicrosoftUpdates = syshelped.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
MicrosoftUpdates = syshelped.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\
MicrosoftUpdates = syshelped.exe
W32/Forbot-AZ also creates several registry entries under:
HKLM\SYSTEM\CurrentControlSet\Enum\Root\
LEGACY_MICROSOFTCORPORATIONS\
HKLM\SYSTEM\CurrentControlSet\Services\MicrosoftCorporations\
Services available to an attacker using the backdoor include:
File transfer
Proxy servers
Distributed denial of service attacks
information harvesting (email addresses, account names and passwords)
--- MultiMail/Win32 v0.43
* Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)
|