Text 64, 1518 rader
Skriven 2005-10-01 11:06:00 av KURT WISMER (1:123/140)
Ärende: News, October 1 2005
============================
[cut-n-paste from sophos.com]
Name W32/Netsky-C
Type
* Worm
Affected operating systems
* Windows
Aliases
* I-Worm.Moodown.c
* Win32/Netsky.C
* W32.Netsky.C@mm
* WORM_NETSKY.C
Prevalence (1-5) 2
Description
W32/Netsky-C is a worm which spreads via shared networks and by
emailing itself to addresses found within files located on drives C:
to Z:.
The email subject line, message text and attachment filename are
randomly chosen from lists within the worm.
The name of the attached file is chosen from:
associal, msg, yours, doc, wife, talk, message, response,
creditcard, description, details, attachment, pic, me, trash,
card, stuff, poster, posting, portmoney, textfile, moonlight,
concert, sexy, information, news, note, number_phone, bill,
mydate, swimmingpool, class_photos, product, old_photos, topseller,
ps, important, shower, myaunt, aboutyou, yours, nomoney, birth,
found, death, story, worker, mails, letter, more, website,
regards, regid, friend, unfolds, jokes, doc_ang, your_stuff,
location, 454543403, final, schock, release, webcam, dinner,
intimate stuff, sexual, ranking, object, secrets, mail2, attach2,
part2, msg2, disco, freaky, visa, party, material, misc,
nothing, transfer, auction, warez, undefinied, violence, update,
masturbation, injection, naked1, naked2, tear, music, paypal,
id, privacy, word_doc, image or incest.
The attachment extension will be ZIP, COM, EXE, PIF or SCR and may be
preceded by .DOC, .HTM, .RTF or .TEXT. (e.g. visa.htm.scr)
W32/Netsky-C spreads via file sharing networks by copying itself to
folders on drives C: to Z: whose name contains the sub-string 'Shar',
using a filename randomly chosen from the following list:
1000 Sex and more.rtf.exe
3D Studio Max 3dsmax.exe
ACDSee 9.exe
Adobe Photoshop 9 full.exe
Adobe Premiere 9.exe
Ahead Nero 7.exe
Best Matrix Screensaver.scr
Clone DVD 5.exe
Cracks & Warez Archive.exe
Dark Angels.pif
Dictionary English - France.doc.exe
DivX 7.0 final.exe
Doom 3 Beta.exe
E-Book Archive.rtf.exe
Full album.mp3.pif
Gimp 1.5 Full with Key.exe
How to hack.doc.exe
IE58.1 full setup.exe
Keygen 4 all appz.exe
Learn Programming.doc.exe
Lightwave SE Update.exe
Magix Video Deluxe 4.exe
Microsoft Office 2003 Crack.exe
Microsoft WinXP Crack.exe
MS Service Pack 5.exe
Norton Antivirus 2004.exe
Opera.exe
Partitionsmagic 9.0.exe
Porno Screensaver.scr
RFC Basics Full Edition.doc.exe
Screensaver.scr
Serials.txt.exe
Smashing the stack.rtf.exe
Star Office 8.exe
Teen Porn 16.jpg.pif
The Sims 3 crack.exe
Ulead Keygen.exe
Virii Sourcecode.scr
Visual Studio Net Crack.exe
Win Longhorn Beta.exe
WinAmp 12 full.exe
Windows Sourcecode.doc.exe
WinXP eBook.doc.exe
XXX hardcore pic.jpg.exe
When the worm is run on the 26th of February 2004 between 06:00 and
09:00 it may cause the computer to beep sporadically.
The Netsky-C worm contains the following text embedded in its code:
<-<- we are the skynet - you can't hide yourself! - we kill malware
writers (they have no chance!) - [LaMeRz-->]MyDoom.F is a thief of our idea! -
-< SkyNet AV vs. Malware >- ->->
Advanced
W32/Netsky-C is a worm which spreads via shared networks and by
emailing itself to addresses found within files located on drives C:
to Z:.
The email subject line, message text and attachment filename are
randomly chosen from lists within the worm.
The name of the attached file is chosen from:
associal, msg, yours, doc, wife, talk, message, response,
creditcard, description, details, attachment, pic, me, trash,
card, stuff, poster, posting, portmoney, textfile, moonlight,
concert, sexy, information, news, note, number_phone, bill,
mydate, swimmingpool, class_photos, product, old_photos, topseller,
ps, important, shower, myaunt, aboutyou, yours, nomoney, birth,
found, death, story, worker, mails, letter, more, website,
regards, regid, friend, unfolds, jokes, doc_ang, your_stuff,
location, 454543403, final, schock, release, webcam, dinner,
intimate stuff, sexual, ranking, object, secrets, mail2, attach2,
part2, msg2, disco, freaky, visa, party, material, misc,
nothing, transfer, auction, warez, undefinied, violence, update,
masturbation, injection, naked1, naked2, tear, music, paypal,
id, privacy, word_doc, image or incest.
The attachment extension will be ZIP, COM, EXE, PIF or SCR and may be
preceded by .DOC, .HTM, .RTF or .TEXT. (e.g. visa.htm.scr)
When first run W32/Netsky-C copies itself to the Windows folder as
winlogon.exe and creates the following registry entry so that
winlogon.exe is run automatically each time Windows is started:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ICQNet
= <WINDOWS>\winlogon.exe -stealth
W32/Netsky-C spreads via file sharing networks by copying itself to
folders on drives C: to Z: whose name contains the sub-string 'Shar',
using a filename randomly chosen from the following list:
1000 Sex and more.rtf.exe
3D Studio Max 3dsmax.exe
ACDSee 9.exe
Adobe Photoshop 9 full.exe
Adobe Premiere 9.exe
Ahead Nero 7.exe
Best Matrix Screensaver.scr
Clone DVD 5.exe
Cracks & Warez Archive.exe
Dark Angels.pif
Dictionary English - France.doc.exe
DivX 7.0 final.exe
Doom 3 Beta.exe
E-Book Archive.rtf.exe
Full album.mp3.pif
Gimp 1.5 Full with Key.exe
How to hack.doc.exe
IE58.1 full setup.exe
Keygen 4 all appz.exe
Learn Programming.doc.exe
Lightwave SE Update.exe
Magix Video Deluxe 4.exe
Microsoft Office 2003 Crack.exe
Microsoft WinXP Crack.exe
MS Service Pack 5.exe
Norton Antivirus 2004.exe
Opera.exe
Partitionsmagic 9.0.exe
Porno Screensaver.scr
RFC Basics Full Edition.doc.exe
Screensaver.scr
Serials.txt.exe
Smashing the stack.rtf.exe
Star Office 8.exe
Teen Porn 16.jpg.pif
The Sims 3 crack.exe
Ulead Keygen.exe
Virii Sourcecode.scr
Visual Studio Net Crack.exe
Win Longhorn Beta.exe
WinAmp 12 full.exe
Windows Sourcecode.doc.exe
WinXP eBook.doc.exe
XXX hardcore pic.jpg.exe
W32/Netsky-C attempts to delete the following registry entries if
they exist:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Taskmon
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Explorer
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Explorer
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\KasperskyAv
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\KasperskyAv
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\system.
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\system.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\service
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Sentry
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\msgsrv32
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\DELETE ME
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\D3dupdate.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\au.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\OLE
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows services
host
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Windows services
host
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\PINF
HKLM\System\CurrentControlSet\Services\WksPatch
HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
When the worm is run on the 26th of February 2004 between 06:00 and
09:00 it may cause the computer to beep sporadically.
The Netsky-C worm contains the following text embedded in its code:
<-<- we are the skynet - you can't hide yourself! - we kill malware
writers (they have no chance!) - [LaMeRz-->]MyDoom.F is a thief of
our idea! - -< SkyNet AV vs. Malware >- ->->
Name Troj/WinterLv-D
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/WinterLv-D is a backdoor Trojan for the Windows platform.
Once installed Troj/WinterLv-D runs continuously in the background,
allowing a remote intruder access to and control over the computer.
Troj/WinterLv-D includes functionality to:
steal confidential information
provide a proxy server
download, install and run new software
provide an FTP and HTTP server
add and delete user accounts
start or stop the Windows Terminal Server
Advanced
Troj/WinterLv-D is a backdoor Trojan for the Windows platform.
Once installed Troj/WinterLv-D runs continuously in the background,
allowing a remote intruder access to and control over the computer.
Troj/WinterLv-D includes functionality to:
steal confidential information
provide a proxy server
download, install and run new software
provide an FTP and HTTP server
add and delete user accounts
start or stop the Windows Terminal Server
Troj/WinterLv-D may be registered as new system driver services named
"RDPWD" and "TDTCP".
Registry entries may be modified under:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\netcache
Enabled
0
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RDPWD
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDTCP
HKLM\SYSTEM\CurrentControlSet\Services\RDPWD\Enum
HKLM\SYSTEM\CurrentControlSet\Services\TDTCP\Enum
Registry entries may also be modified under:
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
fDenyTSConnections
00000000
HKLM\SYSTEM\CurrentControlSet\Services\TermDD
Start
00000002
HKLM\SYSTEM\CurrentControlSet\Services\TermService
Start
00000002
Name W32/Codbot-AB
Type
* Spyware Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Records keystrokes
* Installs itself in the Registry
Aliases
* Backdoor.Win32.SdBot.afu
Prevalence (1-5) 2
Description
W32/Codbot-AB is a network worm with backdoor Trojan functionality
for the Windows platform.
W32/Codbot-AB spreads through network shares and through various
operating system vulnerabilities such as the following:
LSASS (MS04-011)
RPC-DCOM (MS04-012)
PNP (MS05-039)
IMAIL Server
ASN.1 (MS04-007)
The backdoor component of W32/Codbot-AB connects to a predetermined
IRC channel and awaits further commands from a remote user. The
backdoor component can be instructed to perform various functions,
including:
silently download, install and run new software
start an FTP server
send raw IRC commands
harvest system information
scan networks for vulnerabilities
log keystrokes
Patches for the vulnerabilities exploited by W32/Codbot-AB can be
obtained from Microsoft at:
MS04-011
MS04-012
MS04-007
MS05-039
Advanced
W32/Codbot-AB is a network worm with backdoor Trojan functionality
for the Windows platform.
W32/Codbot-AB spreads through network shares and through various
operating system vulnerabilities such as the following:
LSASS (MS04-011)
RPC-DCOM (MS04-012)
PNP (MS05-039)
IMAIL Server
ASN.1 (MS04-007)
When run, W32/Codbot-AB copies itself to the Windows system folder as
a read-only, hidden, system file dfrgfat32.exe and registers itself
as a service process with the following properties:
"Description"="Monitoring the defragmentating process."
"DisplayName"="Defragmentation Management Handler"
"ImagePath"=<System>\dfrgfat32.exe
The following registry entries are created to run dfrgfat32.exe as a
service process each time the computer starts up:
HKLM\SYSTEM\CurrentControlSet\Services\FAT Defragmentation
<several entries>
W32/Codbot-AB also sets values under the following registry entries
so that dfrgfat32.exe is also run when booting in safe-mode:
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\
Minimal\FAT Defragmentation
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\
Network\FAT Defragmentation
The backdoor component of W32/Codbot-AB connects to a predetermined
IRC channel and awaits further commands from a remote user. The
backdoor component can be instructed to perform various functions,
including:
silently download, install and run new software
start an FTP server
send raw IRC commands
harvest system information
scan networks for vulnerabilities
log keystrokes
Patches for the vulnerabilities exploited by W32/Codbot-AB can be
obtained from Microsoft at:
MS04-011
MS04-012
MS04-007
MS05-039
Name W32/Zafi-E
Type
* Worm
How it spreads
* Email attachments
* Peer-to-peer
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Sends itself to email addresses found on the infected computer
* Forges the sender's email address
* Uses its own emailing engine
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Zafi-E is a worm for the Windows platform.
W32/Zafi-E spreads via email and file sharing on P2P networks.
Upon execution W32/Zafi-E will display a bogus message box with the
text 'Windows has blocked access to this image.'
The message body of the infected email is sent in a number of
different languages and in most cases will try to convince the user
that the attached file is a Star Wars e-card.
The email subject can be any of the following:
Star Wars Greeting, MSN Postcard
Una Star Wars cartolina per te da regione.it,Cartolina Digitale
Une Star Wars carte pour vous,Confidential
Electronisch Star Wars,E-kaartje
e-postkarte,Star Wars
Star Wars, e-kort
e-pohlednice,Elektronickou Star Wars
e-udvozlet,megasztar
i Has recibido una tarjeta en neptun.mx,e-tarjeta
Greeting from neptun.ru,MSN.RU Postcard
Advanced
W32/Zafi-E is a worm for the Windows platform.
W32/Zafi-E spreads via email and file sharing on P2P networks.
Upon execution W32/Zafi-E will display a bogus message box with the
text 'Windows has blocked access to this image.'
When first run W32/Zafi-E copies itself to:
\Documente und Einstellungen\All Users\Start Menu\Programs\StartUp\
Divx Player 7.0.exe
\Documenti e Impostazioni\All Users\Start Menu\Programs\StartUp\Divx
Player 7.0.exe
<User>\Documents\My Music\Adobe Acrobat 8.0.exe
<User>\Documents\My Music\Sample Music\Divx Player 7.0.exe
<Startup>\Adobe Acrobat 8.0.exe
<Startup>\Divx Player 7.0.exe
<User>\My Documents\My Music\Adobe Acrobat 8.0.exe
\My Documents\yahoomentor\shared\Divx Player 7.0.exe
\My Shared Folder\Adobe Acrobat 8.0.exe
<Program Files>\BearShare\Adobe Acrobat 8.0.exe
<Program Files>\BearShare\My Shared Folder\Adobe Acrobat 8.0.exe
<Program Files>\BearShare\Shared\Divx Player 7.0.exe
<Common Files>\Microsoft Shared\Adobe Acrobat 8.0.exe
<Program Files>\KaZaA\My Shared Folder\Divx Player 7.0.exe
<Program Files>\Kmd\My Shared Folder\Divx Player 7.0.exe
<Program Files>\Limewire\My Shared Folder\Divx Player 7.0.exe
<Program Files>\Limewire\Shared\Adobe Acrobat 8.0.exe
<Program Files>\MSN Messenger\shared folder\Adobe Acrobat 8.0.exe
<Program Files>\Messenger\shared folder\Adobe Acrobat 8.0.exe
<Program Files>\Microsoft Office\Office\startup\Adobe Acrobat 8.0.exe
<Program Files>\Morpheus\My Shared Folder\Divx Player 7.0.exe
<Program Files>\Shareaza\Divx Player 7.0.exe
<Program Files>\eDonkey2000\My Shared Folder\Adobe Acrobat 8.0.exe
<Program Files>\icq\Shared Files\Divx Player 7.0.exe
\Programs\Startup\Divx Player 7.0.exe
<Windows>\Profiles\All Users\Start Menu\Programs\StartUp\Divx Player 7.0.exe
<Windows>\ime\shared\Divx Player 7.0.exe
<Windows>\pchealth\UploadLB\Adobe Acrobat 8.0.exe
<System>\88218704565Z.dll
<System>\Symantec_Update-16863.exe
<System>\config\systemprofile\Start Menu\Programs\Startup\Divx Player
7.0.exe
A registry entry is created under
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run to run one of these files on
startup
W32/Zafi-E creates randomly named files with a DLL extension in the
Windows System or System32 folder. Some of these may be log files,
copies of itself or ZIP files containing itself:
W32/Zafi-E creates registry entries under HKLM\SOFTWARE\Microsoft
which link to these files.
W32/Zafi-E will attempt to disable anti virus products.
W32/Zafi-E will send itself by email to addresses harvested from the
Windows Address Book and from files found on disk with the following
extensions HTM, WAB, TXT, DBX, TBB, ASP, PHP, SHT, ADB, MBX, EML, FPT,
INB and PMR.
The worm will avoid sending emails to addresses that contain any of
the following strings: google, sale, service, info, help, admi, webm,
micro, msn, hotm, suppor, soft, zonela.
The message body of the infected email is sent in a number of
different languages and in most cases will try to convince the user
that the attached file is a Star Wars e-card.
The email subject can be any of the following:
Star Wars Greeting, MSN Postcard
Una Star Wars cartolina per te da regione.it,Cartolina Digitale
Une Star Wars carte pour vous,Confidential
Electronisch Star Wars,E-kaartje
e-postkarte,Star Wars
Star Wars, e-kort
e-pohlednice,Elektronickou Star Wars
e-udvozlet,megasztar
i Has recibido una tarjeta en neptun.mx,e-tarjeta
Greeting from neptun.ru,MSN.RU Postcard
The attached file will include one of the following strings depending
on the language used:
udvozlolap
tarjeta
postcard
pohlednic
kort
grusskarte
galerij
carte
cart
greeting
The attachment name will have one of the following extensions:
CMD, SCR, PIF, COM, ZIP
W32/Zafi-E will copy itself to folders containing the following
strings in an effort to spread to users of P2P file sharing networks.
share, upload, music, startup
W32/Zafi-E will create entries in the registry under
HKLM\Software\Microsoft\__ZF5
Name W32/Sdbot-ADB
Type
* Spyware Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Deletes files off the computer
* Steals information
* Downloads code from the internet
* Reduces system security
Prevalence (1-5) 2
Description
W32/Sdbot-ADB is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Sdbot-ADB spreads through various operating system
vulnerabilities and to other network computers infected with
W32/MyDoom backdoors.
W32/Sdbot-ADB runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
Advanced
W32/Sdbot-ADB is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Sdbot-ADB spreads through various operating system
vulnerabilities and to other network computers infected with
W32/MyDoom backdoors.
W32/Sdbot-ADB runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
When first run W32/Sdbot-ADB copies itself to <System>\HeIp.exe.
The following registry entries are created to run HeIp.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Loaders
HeIp.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Loaders
HeIp.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Loaders
HeIp.exe
Name W32/Rbot-APA
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Win32.Rbot.act
* W32.Spybot.Worm
* WORM_SDBOT.CFU
Prevalence (1-5) 2
Description
W32/Rbot-APA is a worm for the Windows platform.
W32/Rbot-APA spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM
(MS04-012), WKS (MS03-049) (CAN-2003 0812) and ASN.1 (MS04-007) and
by copying itself to network shares protected by weak passwords.
The following patches for the operating system vulnerabilities
exploited by W32/Rbot-APA can be obtained from the Microsoft website:
MS04-011
MS04-012
MS03-049
MS04-007
W32/Rbot-APA runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Rbot-APA modifies the HOSTS file in order to try to block access
to certain websites.
Advanced
W32/Rbot-APA is a worm for the Windows platform.
W32/Rbot-APA spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM
(MS04-012), WKS (MS03-049) (CAN-2003 0812) and ASN.1 (MS04-007) and
by copying itself to network shares protected by weak passwords.
The following patches for the operating system vulnerabilities
exploited by W32/Rbot-APA can be obtained from the Microsoft website:
MS04-011
MS04-012
MS03-049
MS04-007
W32/Rbot-APA runs continuously in the background, providing a backdoor server
which allows a remote intruder to gain access and control over the computer via
IRC channels.
When first run W32/Rbot-APA copies itself to
<Windows system folder>\msmgmctl.exe.
The following registry entries are created to run msmgmctl.exe on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Messenger Management Controls
msmgmctl.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Messenger Management Controls
msmgmctl.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Messenger Management Controls
msmgmctl.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Messenger Management Controls
msmgmctl.exe
Registry entries are set as follows:
HKCU\SYSTEM\CurrentControlSet\Control\Lsa
Microsoft Messenger Management Controls
msmgmctl.exe
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
Microsoft Messenger Management Controls
msmgmctl.exe
HKCU\Software\Microsoft\OLE
Microsoft Messenger Management Controls
msmgmctl.exe
HKLM\SOFTWARE\Microsoft\Ole
Microsoft Messenger Management Controls
msmgmctl.exe
W32/Rbot-APA appends the following lines to the HOSTS file in order
to try to block access to certain websites:
127.0.0.1 avp.com
127.0.0.1 ca.com
127.0.0.1 customer.symantec.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 f-secure.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 kaspersky.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 mast.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 microsoft.com
127.0.0.1 my-etrust.com
127.0.0.1 nai.com
127.0.0.1 networkassociates.com
127.0.0.1 pandasoftware.com
127.0.0.1 rads.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 sophos.com
127.0.0.1 symantec.com
127.0.0.1 trendmicro.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 virustotal.com
127.0.0.1 www.avp.com
127.0.0.1 www.ca.com
127.0.0.1 www.f-secure.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.mcafee.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.my-etrust.com
127.0.0.1 www.nai.com
127.0.0.1 www.networkassociates.com
127.0.0.1 www.pandasoftware.com
127.0.0.1 www.sophos.com
127.0.0.1 www.symantec.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.viruslist.com
127.0.0.1 www.virustotal.com
Name W32/Rbot-APC
Type
* Spyware Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Prevalence (1-5) 2
Description
W32/Rbot-APC is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Rbot-APC spreads:
- to other network computers by exploiting common buffer overflow
vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012),
WKS (MS03-049) (CAN-2003-0812) and ASN.1 (MS04-007)
- by copying itself to network shares protected by weak passwords
W32/Rbot-APC runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
When first run W32/Rbot-APC creates the file
<Current folder>\msdirectx.sys.
The file msdirectx.sys is detected as Troj/NtRootK-F.
W32/Rbot-APC includes functionality to:
- perform port scanning
- carry out DDoS flooder attacks
- silently download, install and run new software
- steal information
The following patches for the operating system vulnerabilities
exploited by W32/Rbot-APC can be obtained from the Microsoft website:
MS04-011
MS04-012
MS03-049
MS04-007
Advanced
W32/Rbot-APC is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Rbot-APC spreads:
- to other network computers by exploiting common buffer overflow
vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012),
WKS (MS03-049) (CAN-2003-0812) and ASN.1 (MS04-007)
- by copying itself to network shares protected by weak passwords
W32/Rbot-APC runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
When first run W32/Rbot-APC copies itself to <System>\xpjava.exe and
creates the file <Current folder>\msdirectx.sys.
The file msdirectx.sys is detected as Troj/NtRootK-F.
The following registry entry is changed from its default Windows
value to run xpjava.exe on startup:
from:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
userinit.exe,
to:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
userinit.exe,xpjava.exe
W32/Rbot-APC includes functionality to:
- perform port scanning
- carry out DDoS flooder attacks
- silently download, install and run new software
- steal information
Registry entries may be set as follows:
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
The following patches for the operating system vulnerabilities
exploited by W32/Rbot-APC can be obtained from the Microsoft website:
MS04-011
MS04-012
MS03-049
MS04-007
Name Troj/IRCBot-AG
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/IRCBot-AG is a Trojan for the Windows platform.
Troj/IRCBot-AG runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
Advanced
Troj/IRCBot-AG is a Trojan for the Windows platform.
Troj/IRCBot-AG runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
When first run Troj/IRCBot-AG copies itself to the Windows system
folder.
The following registry entry is created to run Troj/IRCBot-AG on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Connectivity Tool
<System≫\<original Trojan filename>
The following registry entries may also be changed:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\List
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\List
Name Troj/ConycSp-E
Type
* Trojan
Affected operating systems
* Windows
Aliases
* Trojan-Spy.Win32.Delf.kh
Prevalence (1-5) 2
Description
Troj/ConycSp-E is a Trojan for the Windows platform.
Advanced
Troj/ConycSp-E is a Trojan for the Windows platform.
Troj/ConycSp-E includes functionality to access the internet and
communicate with a remote server via HTTP.
When Troj/ConycSp-E is installed it creates the file
\%CurrentFolder%\mm.pid.
Name Troj/BankDl-J
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Prevalence (1-5) 2
Description
Troj/BankDl-J is a downloader Trojan for the Windows platform.
Troj/BankDl-J will download and execute a file from a predefined URL
as C:\dsd.scr. The downloaded file was detected as Troj/Bancban-FO at
the time of analysis.
Troj/BankDl-J may arrive in spam claiming to be from Big Brother.
While downloading Troj/Bancban-FO it will display a web page relating
to Big Brother.
Name Troj/Lootbot-A
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/Lootbot-A is a Trojan for the Windows platform.
Troj/Lootbot-A runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
Advanced
Troj/Lootbot-A is a Trojan for the Windows platform.
Troj/Lootbot-A runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
When first run Troj/Lootbot-A copies itself to the Windows system
folder with a file extension of scr.
The following registry entry is created to run Troj/Lootbot-A on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Connectivity Tool
<System>\<original Trojan filename>.scr
Name W32/Rbot-APJ
Type
* Spyware Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Reduces system security
* Records keystrokes
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Rbot-APJ is a network worm with backdoor Trojan functionality for
the Windows platform.
W32/Rbot-APJ spreads using a variety of techniques including
exploiting weak passwords on computers and SQL servers, exploiting
operating system vulnerabilities (including DCOM-RPC, LSASS, WebDAV
and UPNP) and using backdoors opened by other worms or Trojans.
Advanced
W32/Rbot-APJ is a network worm with backdoor Trojan functionality for
the Windows platform.
W32/Rbot-APJ spreads using a variety of techniques including
exploiting weak passwords on computers and SQL servers, exploiting
operating system vulnerabilities (including DCOM-RPC, LSASS, WebDAV
and PnP) and using backdoors opened by other worms or Trojans.
W32/Rbot-APJ can be controlled by a remote attacker over IRC channels.
The backdoor component of W32/Rbot-APJ can be instructed by a remote
user to perform the following functions:
capture screen/webcam images
download/execute arbitrary files
log keypresses
packet sniffing
port scanning
start a Proxy server
start a remote shell (RLOGIN)
start a web server
start an FTP server
steal product registration information from certain software
take part in distributed denial of service (DDoS) attacks
The worm copies itself to a file named mswin.pif in the Windows
system folder and creates the following registry entries:
HKCU\Software\Microsoft\OLE
MS Sys Security
"mswin.pif"
HKCU\SYSTEM\CUrrentControlSet\Control\Lsa
MS Sys Security
"mswin.pif"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MS Sys Security
"mswin.pif"
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
MS Sys Security
"mswin.pif"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MS Sys Security
"mswin.pif"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
MS Sys Security
"mswin.pif"
HKLM\SOFTWARE\Microsoft\OLE
MS Sys Security
"mswin.pif"
HKLM\SYSTEM\CUrrentControlSet\Control\Lsa
MS Sys Security
"mswin.pif"
Patches for the operating system vulnerabilities exploited by
W32/Rbot-APJ can be obtained from Microsoft at:
MS01-059
MS03-007
MS04-011
MS04-012
MS05-039
Name W32/Eyeveg-M
Type
* Spyware Worm
How it spreads
* Email messages
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Sends itself to email addresses found on the infected computer
* Steals information
* Uses its own emailing engine
* Downloads code from the internet
Aliases
* Worm.Win32.Tanatos.p
* W32/Eyeveg.worm.gen
* W32.Lanieca.H@mm
* WORM_WURMARK.P
Prevalence (1-5) 2
Description
W32/Eyeveg-M is a worm for the Windows platform.
W32/Eyeveg-M spreads via links in emails it sends to addresses found
on the infected computer.
W32/Eyeveg-M sends emails to addresses found on the infected computer.
These have one of the following subject lines:
readme
love
resume
details
news
image
message
pic
girls
photo
video
music
song
screensaver
W32/Eyeveg-M sends emails with a message text just containing a link
to a zip file at one of the following remote websites:
africaplc.com
www.neptuncaffe.com
scheduleconsult.com
www.sismodular.com
At the time of writing none of these zip files were available for
download.
Advanced
W32/Eyeveg-M is a worm for the Windows platform.
W32/Eyeveg-M spreads via links in emails it sends to addresses found
on the infected computer.
W32/Eyeveg-M sends emails to addresses found on the infected computer.
These have one of the following subject lines:
readme
love
resume
details
news
image
message
pic
girls
photo
video
music
song
screensaver
W32/Eyeveg-M sends emails with a message text just containing a link
to a zip file at one of the following remote websites:
africaplc.com
www.neptuncaffe.com
scheduleconsult.com
www.sismodular.com
At the time of writing none of these zip files were available for
download.
W32/Eyeveg-M will attempt to contact a predefined URL in order to get
commands. The tasks that the worm can be instructed to do are:
Keylogging
Monitoring web traffic
Sending email
Stealing stored passwords
Downloading further files
W32/Eyeveg-M copies itself to the Windows system folder with a random
filename and sets an entry in the registry at the following location
to run itself on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
W32/Eyeveg-M attempts to download and execute a file from a remote
website to the Windows systen folder with a random filename and a DLL
extension.
W32/Eyeveg-M may create or download clean files to the Temp folder
with random filenames and TMP extensions.
Name Troj/Radium-A
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Installs itself in the Registry
Aliases
* Backdoor.Win32.Delf.afe
Prevalence (1-5) 2
Description
Troj/Radium-A is a backdoor Trojan for the Windows platform.
Troj/Radium-A allows a remote attacker to control the infected
computer over a TCP connection.
Advanced
Troj/Radium-A is a backdoor Trojan for the Windows platform.
When first run Troj/Radium-A copies itself to:
<System>\HelpSvc.exe
<System>\ntr.sys
and creates the following files:
<System>\ldr.dll
<System>\msp.dll
The file ldr.dll is registered as a COM object, creating registry
entries under:
HKCR\CLSID\(FF00E8A3-2BE6-11D2-8003-92E340524100)
The following registry entry is created to run code exported by the
Trojan library on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ ShellServiceObjectDelayLoad
WebCheck
(FF00E8A3-2BE6-11D2-8003-92E340524100)
If run with sufficient rights Troj/Radium-A will install itself as an
application authorized by Windows Firewall to communicate with the
outside world.
Troj/Radium-A listens on a TCP port (8192 by default) for incoming
connections. An attacker connecting to this port can take control of
the infected computer, performing any of the following actions:
transfer and delete files
list and kill running processes
execute arbitrary commands
take screenshots
hide desktop icons, the taskbar and the start button
open and close the CD tray
change the number of the TCP port on which to listen
shutdown and restart the computer
Name Troj/Lootbot-B
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
Aliases
* PWS-JC
Prevalence (1-5) 2
Description
Troj/Lootbot-B is a backdoor Trojan which allows a remote intruder to
gain access and control over the computer.
Advanced
Troj/Lootbot-B is a backdoor Trojan which allows a remote intruder to
gain access and control over the computer.
When first run Troj/Lootbot-B copies itself to the Windows system
folder.
The following registry entry is created to run Troj/Lootbot-B on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
syelimS-esreveR-troppuS
<System>\<original Trojan filename>
Name W32/Rbot-APT
Type
* Spyware Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Reduces system security
Prevalence (1-5) 2
Description
W32/Rbot-APT is a network worm with backdoor functionality for the
Windows platform.
W32/Rbot-APT spreads using a variety of techniques including
exploiting weak passwords on computers and SQL servers, exploiting
operating system vulnerabilities (including DCOM-RPC, ASN.1 and PnP)
and using backdoors opened by other worms or Trojans.
The following patches for the operating system vulnerabilities
exploited by W32/Rbot-APT can be obtained from the Microsoft website:
MS04-012
MS05-039
MS04-007
W32/Rbot-APT can be controlled by a remote attacker over IRC channels.
The backdoor component of W32/Rbot-APT can be instructed by a remote
user to perform a variety of tasks.
Advanced
W32/Rbot-APT is a network worm with backdoor functionality for the
Windows platform.
The worm copies itself to a file named win.pif in the Windows system
folder and creates the following registry entries:
HKCU\SYSTEM\CurrentControlSet\Control\Lsa
Windows Security
"win.pif"
HKCU\Software\Microsoft\OLE
Windows Security
"win.pif"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Windows Security
"win.pif"
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
Windows Security
"win.pif"
HKLM\SOFTWARE\Microsoft\Ole
Windows Security
"win.pif"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Security
"win.pif"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Windows Security
"win.pif"
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
Windows Security
"win.pif"
W32/Rbot-APT spreads using a variety of techniques including
exploiting weak passwords on computers and SQL servers, exploiting
operating system vulnerabilities (including DCOM-RPC, ASN.1 and PnP)
and using backdoors opened by other worms or Trojans.
The following patches for the operating system vulnerabilities
exploited by W32/Rbot-APT can be obtained from the Microsoft website:
MS04-012
MS05-039
MS04-007
W32/Rbot-APT can be controlled by a remote attacker over IRC channels.
The backdoor component of W32/Rbot-APT can be instructed by a remote
user to perform the following functions:
start an FTP server
start a Proxy server
start a web server
take part in distributed denial of service (DDoS) attacks
log keypresses
capture screen/webcam images
packet sniffing
port scanning
download/execute arbitrary files
start a remote shell (RLOGIN)
steal product registration information from certain software
--- MultiMail/Win32 v0.43
* Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)
|