Text 66, 1968 rader
Skriven 2005-10-10 12:43:00 av KURT WISMER (1:123/140)
Ärende: News, October 10 2005
=============================
[cut-n-paste from sophos.com]
Name W32/Sober-P
Type
* Worm
Affected operating systems
* Windows
Side effects
* Sends itself to email addresses found on the infected computer
* Installs itself in the Registry
Aliases
* Trojan-Dropper.Win32.VB.iv
* W32/Sober.r.dr
Prevalence (1-5) 4
Description
W32/Sober-P is a mass-mailing worm.
When first run, a message box may be displayed with title 'Ms Paint'
and containing the text 'Graphic Decoder not found'.
The email sent by W32/Sober-P depends on the recipient address.
Emails sent to recipients whose email address is in the .de, .ch, .at,
.li domains or contains the string "gmx." will receive an email as
follows:
Subject line: Fwd: Klassentreffen
Message text:
hi,
ich hoffe jetzt mal das ich endlich die richtige person erwischt habe!
ich habe jedenfalls mal unser klassenfoto von damals mit angehngt.
wenn du dich dort wiedererkennst, dann schreibe unbedingt zurck!!
wenn ich aber wieder mal die falsche person erwischt habe, dann sorry
fr die belstigung ;)
liebe gr
Hannelore
Attached file: KlassenFoto.zip
Email sent to other addresses will have the following characteristics:
Subject line: Your new Password
Message text:
Your password was successfully changed!
Please see the attached file for detailed information.
Attached file: pword_change.zip
W32/Sober-P harvests email addresses from files on the computer.
When W32/Sober-P is installed the following files are created:
C:/vbbfgdtd.exe
<Windows>\ConnectionStatus\services.exe
These files are detected as W32/Sober-O.
Advanced
W32/Sober-P is a mass-mailing worm.
When first run, a message box may be displayed with title 'Ms Paint'
and containing the text 'Graphic Decoder not found'.
W32/Sober-P creates a base64 encoded ZIP archived copy of itself in
<Windows>\ConnectionStatus\netslot.nst.
The email sent by W32/Sober-P depends on the recipient address.
Emails sent to recipients whose email address is in the .de, .ch, .at,
.li domains or contains the string "gmx." will receive an email as
follows:
Subject line: Fwd: Klassentreffen
Message text:
hi,
ich hoffe jetzt mal das ich endlich die richtige person erwischt habe!
ich habe jedenfalls mal unser klassenfoto von damals mit angehngt.
wenn du dich dort wiedererkennst, dann schreibe unbedingt zurck!!
wenn ich aber wieder mal die falsche person erwischt habe, dann sorry
fr die belstigung ;)
liebe gr
Hannelore
Attached file: KlassenFoto.zip
Email sent to other addresses will have the following characteristics:
Subject line: Your new Password
Message text:
Your password was successfully changed!
Please see the attached file for detailed information.
Attached file: pword_change.zip
W32/Sober-P harvests email addresses from files with the following
strings in their filenames:
pmr phtm stm slk inbox imb csv bak imh xhtml imm imh cms nws vcf ctl
dhtm cgi pp ppt msg jsp oft vbs uin ldb abc pst cfg mdw mbx mdx mda
adp nab fdb vap dsp ade sln dsw mde frm bas adr cls ini ldif log mdb
xml wsh tbb abx abd adb pl rtf mmf doc ods nch xls nsf txt wab eml
hlp mht nfo php asp shtml dbx
When W32/Sober-P is installed the following files are created:
C:/vbbfgdtd.exe
<Windows>\ConnectionStatus\services.exe
These files are detected as W32/Sober-O.
The following registry entry is created to run services.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WinINet
<Windows>\ConnectionStatus\services.exe
Name W32/Sober-L
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Sends itself to email addresses found on the infected computer
* Forges the sender's email address
* Uses its own emailing engine
* Leaves non-infected files on computer
Prevalence (1-5) 3
Description
W32/Sober-L is a mass-mailing worm for the Windows platform.
Emails sent by the worm will have the following characteristics:
Subject line:
Ich habe Ihre E-Mail bekommen!
or
Your Password & Account number
Message text:
Hallo,
jemand schickt ihre privaten Mails auf meinem Account.
Ich schaetze mal, das es ein Fehler vom Provider ist.
Insgesamt waren es jetzt schon 6 Mails!
Ich habe alle Mail-Texte im Texteditor kopiert und gezippt.
Wenn es doch kein Fehler vom Provider ist, sorge dafuer das diese
Dinger nicht mehr auf meinem Account landen, es Nervt naemlich.
Gruss
or
hi,
i've got an admin mail with a Password and Account info!
but the mail recipient are you! it's probably an esmtp error, i think.
i've copied the full mail text in the Windows text-editor & zipped.
ok, cya...
Attached file:
MailTexte.zip
or
acc_text.zip
Advanced
W32/Sober-L is a mass-mailing worm which sends itself to addresses
harvested from the infected computer.
When first run, W32/Sober-L will open Notepad and display a body of
text that starts:
Mail-Text:
Unzip failed
W32/Sober-L will copy itself to a subfolder of the Windows folder
named \MSAGENT\SYSTEM with the filename SMSS.EXE. In order to run
automatically each time a user logs on, W32/Sober-L will continually
set the following registry entries:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
" Services.dll"
<Windows folder>\msagent\system\smss.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
_Services.dll
<Windows folder>\msagent\system\smss.exe
W32/Sober-L also creates the following data files:
\msagent\win32\emdata.mmx
\msagent\win32\zipzip.zab
\read.me
\nonrunso.ber
\stopruns.zhz
\xcvfpokd.tqa
The READ.ME file contains the following text:
test test test
In diesem Sinne:
Odin alias Anon
W32/Sober-L will attempt to terminate processes with names containing
the following strings:
gcas, gcip, giantanti, stinger, hijackthis
W32/Sober-L harvests email addresses from files with the following
strings in their filenames:
pmr phtm stm slk inbox imb csv bak imh xhtml imm imh cms nws vcf ctl
dhtm cgi pp ppt msg jsp oft vbs uin ldb abc pst cfg mdw mbx mdx mda
adp nab fdb vap dsp ade sln dsw mde frm bas adr cls ini ldif log mdb
xml wsh tbb abx abd adb pl rtf mmf doc ods nch xls nsf txt wab eml
hlp mht nfo php asp shtml dbx
W32/Sober-L avoids sending email to addresses that contain any of the
following strings:
ntp- ntp@ ntp. test@ office @www @from. support smtp- @smtp.
gold-certs ftp. .dial. .ppp. anyone subscribe announce @gmetref sql.
someone nothing you@ user@ reciver@ somebody secure whatever@ whoever@
anywhere yourname mustermann@ .kundenserver. mailer-daemon variabel
password noreply -dav law2 .sul.t- .qmail@ t-ipconnect t-dialin
ipt.aol time postmas service freeav @ca. abuse winrar domain. host.
viren bitdefender spybot detection ewido. emsisoft linux google @foo.
winzip @example. bellcore. @arin mozilla @iana @avp icrosoft. @sophos
@panda @kaspers free-av antivir virus verizon. @ikarus. @nai.
@messagelab nlpmail01. clock
The email sent by W32/Sober-L depends on the recipient address.
Emails sent to recipients whose email address is in the .de, .ch, .at,
.li domains or contains the string "gmx." will receive an email as
follows:
Subject line:
Ich habe Ihre E-Mail bekommen!
Message text:
Hallo,
jemand schickt ihre privaten Mails auf meinem Account.
Ich schaetze mal, das es ein Fehler vom Provider ist.
Insgesamt waren es jetzt schon 6 Mails!
Ich habe alle Mail-Texte im Texteditor kopiert und gezippt.
Wenn es doch kein Fehler vom Provider ist, sorge dafuer das diese
Dinger nicht mehr auf meinem Account landen, es Nervt naemlich.
Gruss
Attached file:
MailTexte.zip
Email sent to other addresses will have the following characteristics:
Subject line:
Your Password & Account number
Message text:
hi,
i've got an admin mail with a Password and Account info!
but the mail recipient are you! it's probably an esmtp error, i think.
i've copied the full mail text in the Windows text-editor & zipped.
ok, cya...
Attached file:
acc_text.zip
The ZIP file will contain an executable file named
mail_text-data.txt.pif
The From address line will be faked.
Name W32/Rbot-APW
Type
* Spyware Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Steals information
* Records keystrokes
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Rbot-APW is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Rbot-APW spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including LSASS (MS04-011), WKS
(MS03-049), RPC-DCOM (MS04-012) and PNP (MS05-039).
W32/Rbot-APW runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Rbot-APW includes functionality to:
- perform port scanning
- carry out DDoS flooder attacks
- silently download, install and run new software
- steal information
Advanced
W32/Rbot-APW is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Rbot-APW spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including LSASS (MS04-011), WKS
(MS03-049), RPC-DCOM (MS04-012) and PNP (MS05-039).
W32/Rbot-APW runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Rbot-APW includes functionality to:
- perform port scanning
- carry out DDoS flooder attacks
- silently download, install and run new software
- steal information
When first run W32/Rbot-APW copies itself to <System>\winsass.exe.
The following registry entries are created to run mame.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Windows WinSaSS Management
winsass.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Windows WinSaSS Management
winsass.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Windows WinSaSS Management
winsass.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Windows WinSaSS Management
winsass.exe
Registry entries are set as follows:
HKCU\SYSTEM\CurrentControlSet\Control\Lsa
Microsoft Windows WinSaSS Management
winsass.exe
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
Microsoft Windows WinSaSS Management
winsass.exe
HKCU\Software\Microsoft\OLE
Microsoft Windows WinSaSS Management
winsass.exe
HKLM\SOFTWARE\Microsoft\Ole
Microsoft Windows WinSaSS Management
winsass.exe
W32/Rbot-APW modifies the HOSTS file to prevent access to anti-virus
and security related sites.
The following patches for the operating system vulnerabilities
exploited by W32/Rbot-APW can be obtained from the Microsoft website:
MS03-049
MS04-011
MS04-012
MS05-039
Name Troj/Badparty-A
Type
* Trojan
Prevalence (1-5) 2
Description
Troj/Badparty-A displays a message box containing the text 'Press OK
to install the party invitation...'.
When the user clicks on OK the Trojan deletes the partition table in
the master boot sector and the contents of the FAT. The Trojan then
attempts to create a new partition table.
The Trojan creates the following files, which are all copies of
legitimate utilities:
ginst0.dll in the Windows temp folder
int86_16.dll, int86_32.dll, playme.exe and party.ini in the Windows
folder
Name Troj/Banker-DV
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals credit card details
* Steals information
* Reduces system security
* Records keystrokes
* Installs itself in the Registry
Aliases
* Trojan-Spy.Win32.Banker.cv
Prevalence (1-5) 2
Description
Troj/Banker-DV is a password-stealing Trojan targeted at customers of
Brazilian banks.
Troj/Banker-DV may display a fake error message containing the
following text:
Erro de aplicativo
Aplicativo nao inicializado corretamente (0xc0000005). Clique em OK
para finalizar a execucao
Advanced
Troj/Banker-DV is a password-stealing Trojan targeted at customers of
Brazilian banks.
Troj/Banker-DV will monitor a user's internet access. When certain
internet banking sites are visited, the Trojan will display a fake login screen
in order to trick the user into inputting their details.
Troj/Banker-DV will then send the stolen details to a remote location.
Troj/Banker-DV may display a fake error message containing the
following text:
Erro de aplicativo
Aplicativo nao inicializado corretamente (0xc0000005). Clique em OK
para finalizar a execucao
When first run, Troj/Banker-DV will copy itself to <System>\winlogin.exe
In order to run automatically each time a user logs in, Troj/Banker-DV
will set the following registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Windows Update
<System>\winlogin.exe
Name Troj/Bandler-D
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Records keystrokes
Aliases
* Trojan-Spy.Win32.Banbra.dm
* PWSteal.Banpaes
Prevalence (1-5) 2
Description
Troj/Bandler-D is a Trojan for the Windows platform.
Troj/Bandler-D includes functionality to download, install and run
new software.
When first run Troj/Bandler-D copies itself to <Windows>\smss.exe.
Troj/Bandler-D will also attempt to terminate Anti-virus and security
related applications.
Advanced
Troj/Bandler-D is a Trojan for the Windows platform.
Troj/Bandler-D includes functionality to download, install and run
new software.
When first run Troj/Bandler-D copies itself to <Windows>\smss.exe.
The following registry entry is created to run smss.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
zsmss
<Windows>\smss.exe
Troj/Bandler-D will also attempt to terminate Anti-virus and security
related applications.
Name W32/Opanki-AB
Type
* Spyware Worm
How it spreads
* Chat programs
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
Aliases
* IM-Worm.Win32.Opanki.ab
Prevalence (1-5) 2
Description
W32/Opanki-AB is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Opanki-AB runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Opanki-AB may also attempt to monitor AOL Instant Messenger (AIM)
windows and send data to online contacts.
The backdoor component of W32/Opanki-AB can be instructed to download
and execute further files.
Advanced
W32/Opanki-AB is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Opanki-AB runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
When first run W32/Opanki-AB copies itself to <Windows>\nether.exe
The following registry entry is created to run nether.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows System Configuration
<Windows>\nether.exe
W32/Opanki-AB may also attempt to monitor AOL Instant Messenger (AIM)
windows and send data to online contacts.
The backdoor component of W32/Opanki-AB can be instructed to download
and execute further files.
Name W32/Rbot-LT
Type
* Spyware Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Reduces system security
* Records keystrokes
* Installs itself in the Registry
Aliases
* Backdoor.Win32.Rbot.cd
Prevalence (1-5) 2
Description
W32/Rbot-LT is a network worm which contains IRC backdoor Trojan
functionality, allowing unauthorised remote access to the infected
computer.
Advanced
W32/Rbot-LT is a worm which attempts to spread to remote network
shares. It also contains backdoor Trojan functionality, allowing
unauthorised remote access to the infected computer via IRC channels
while running in the background as a service process.
W32/Rbot-LT spreads to network shares with weak passwords and via
network security exploits as a result of the backdoor Trojan element
receiving the appropriate command from a remote user.
W32/Rbot-LT copies itself to the Windows system folder as LSSRV.EXE
and creates entries at the following locations in the registry with
the value Microsoft Services so as to run itself on system startup,
resetting them multiple times every minute:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
W32/Rbot-LT also sets the following registry entry with the same
value to point to itself:
HKCU\Software\Microsoft\OLE
W32/Rbot-LT may attempt to sets the following registry entries:
HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM = "N"
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous = "1"
W32/Rbot-LT may attempt to delete network shares on the host computer.
W32/Rbot-LT may attempt to log keystrokes to the file KEY32.TXT in
the Windows system folder.
Name W32/Rbot-AQF
Type
* Worm
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Win32.Rbot.gen
* W32/Sdbot.worm.gen.bh
Prevalence (1-5) 2
Description
W32/Rbot-AQF is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Rbot-AQF spreads:
- to other network computers infected with: Troj/Kuang, Troj/Sub7,
Troj/NetDevil, W32/MyDoom, W32/Bagle and Troj/Optix
- to other network computers by exploiting common buffer overflow
vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012),
WKS (MS03-049) (CAN-2003-0812), WebDav (MS03-007), IIS5SSL (MS04-011)
(CAN-2003-0719), UPNP (MS01-059), Veritas (CAN-2004-1172), Dameware
(CAN-2003-1030), PNP (MS05-039) and ASN.1 (MS04-007)
- by copying itself to network shares protected by weak passwords
W32/Rbot-AQF runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
Advanced
W32/Rbot-AQF is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Rbot-AQF spreads:
- to other network computers infected with: Troj/Kuang, Troj/Sub7,
Troj/NetDevil, W32/MyDoom, W32/Bagle and Troj/Optix
- to other network computers by exploiting common buffer overflow
vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012),
WKS (MS03-049) (CAN-2003-0812), WebDav (MS03-007), IIS5SSL (MS04-011)
(CAN-2003-0719), UPNP (MS01-059), Veritas (CAN-2004-1172), Dameware
(CAN-2003-1030), PNP (MS05-039) and ASN.1 (MS04-007)
- by copying itself to network shares protected by weak passwords
W32/Rbot-AQF runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
When first run W32/Rbot-AQF copies itself to <System>\msnwindows.exe.
The following registry entries are created to run msnwindows.exe on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
System Service
msnwindows.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
System Service
msnwindows.exe
Registry entries are set as follows:
HKCU\Software\Microsoft\OLE
System Service
msnwindows.exe
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
Name Troj/Small-QJ
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
Aliases
* TROJ_SMALL.QI
Prevalence (1-5) 2
Description
Troj/Small-QJ is a Trojan for the Windows platform.
Troj/Small-QJ includes functionality to access the internet and
communicate with a remote server via HTTP.
Troj/Small-QJ downloads and executes several files from a remote site.
Advanced
Troj/Small-QJ is a Trojan for the Windows platform.
Troj/Small-QJ includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run Troj/Small-QJ copies itself to the Windows system
folder and creates the file <CurrentFolder>\winhlp32.dll (also
detected as Troj/Small-QJ).
The following registry entry is created to run Troj/Small-QJ on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
down
<original Trojan filename>
Troj/Small-QJ downloads and executes several files from a remote site.
Name Troj/Vanti-E
Type
* Trojan
Affected operating systems
* Windows
Aliases
* Rootkit.Win32.Vanti.e
Prevalence (1-5) 2
Description
Troj/Vanti-E is used by malicious software to hide its presence on an
infected system.
Name W32/Tilebot-W
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Win32.Agobot.afk
* WORM_RBOT.CHY
Prevalence (1-5) 2
Description
W32/Tilebot-W is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Tilebot-W spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including RPC-DCOM (MS04-012).
W32/Tilebot-W runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Tilebot-W includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run W32/Tilebot-W copies itself to <Windows>\csrss.exe.
Advanced
W32/Tilebot-W is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Tilebot-W spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including RPC-DCOM (MS04-012).
W32/Tilebot-W runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Tilebot-W includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run W32/Tilebot-W copies itself to <Windows>\csrss.exe.
The file csrss.exe is registered as a new system driver service named
"wservtime", with a display name of "Windows Time Sync" and a startup
type of automatic, so that it is started automatically during system
startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\wservtime\
W32/Tilebot-W sets the following registry entries, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4
Registry entries are set as follows:
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
Registry entries are created under:
HKLM\SOFTWARE\Microsoft\Security Center\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\
Name W32/Kassbot-I
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Modifies data on the computer
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Win32.Nanspy.c
* BackDoor-CPV
Prevalence (1-5) 2
Description
W32/Kassbot-I is a worm and backdoor Trojan for the Windows platform.
W32/Kassbot-I spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including LSASS (MS04-011).
W32/Kassbot-I runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer.
Advanced
W32/Kassbot-I is a worm and backdoor Trojan for the Windows platform.
W32/Kassbot-I spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including LSASS (MS04-012).
W32/Kassbot-I runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer.
W32/Kassbot-I includes functionality to access the internet and
communicate with a remote server via HTTP.
W32/Kassbot-I will append the following to the HOSTS file in order to
redirect internet traffic aimed at sercurity related URLs to an
alternate URL.
<alternate url> d-ru-1f.kaspersky-labs.com
<alternate url> d-ru-1h.kaspersky-labs.com
<alternate url> d-ru-2f.kaspersky-labs.com
<alternate url> d-ru-2h.kaspersky-labs.com
<alternate url> d-eu-2f.kaspersky-labs.com
<alternate url> d-eu-2h.kaspersky-labs.com
<alternate url> d-eu-1f.kaspersky-labs.com
<alternate url> d-eu-1h.kaspersky-labs.com
<alternate url> d-us-1f.kaspersky-labs.com
<alternate url> d-us-1h.kaspersky-labs.com
<alternate url> downloads1.kaspersky.ru
<alternate url> downloads2.kaspersky.ru
<alternate url> downloads3.kaspersky.ru
<alternate url> downloads4.kaspersky.ru
<alternate url> downloads5.kaspersky.ru
<alternate url> www.kaspersky.ru
<alternate url> kaspersky.ru
<alternate url> kaspersky-labs.com
<alternate url> www.kaspersky-labs.com
When first run W32/Kassbot-I copies itself to <System>\spools.exe and
creates the file <System>\xbccd.log, which is a harmless text file.
The following registry entry is created to run spools.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Spools Service Controller
<System>\spools.exe
Name W32/Tilebot-X
Type
* Spyware Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Drops more malware
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
Aliases
* Backdoor.Win32.Aimbot.af
* W32/Sdbot.worm.gen.by
Prevalence (1-5) 2
Description
W32/Tilebot-X is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Tilebot-X spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM
(MS04-012), PNP (MS05-039) and ASN.1 (MS04-007) and by copying itself
to network shares protected by weak passwords.
W32/Tilebot-X runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Tilebot-X includes functionality to :
- setup a SOCKS4 server
- enumerate all drives and processes on the infected computer
- access the internet and communicate with a remote server via HTTP
- create new AOL Instant Messenger profiles
- perform port scanning
- steal information including POP3, Hotmail usernames and passwords
as well as tfrom the Protected Storage area
W32/Tilebot-X createsalso the file \rofl.sys. The file rofl.sys is
detected as Troj/RKPort-Fam.
The following patches for the operating system vulnerabilities
exploited by W32/Tilebot-X can be obtained from the Microsoft website:
MS04-011
MS04-012
MS05-039
MS04-007
Advanced
W32/Tilebot-X is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Tilebot-X spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM
(MS04-012), PNP (MS05-039) and ASN.1 (MS04-007) and by copying itself
to network shares protected by weak passwords.
W32/Tilebot-X runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Tilebot-X includes functionality to :
- setup a SOCKS4 server
- enumerate all drives and processes on the infected computer
- access the internet and communicate with a remote server via HTTP
- create new AOL Instant Messenger profiles
- perform port scanning
- steal information including POP3, Hotmail usernames and passwords
as well as tfrom the Protected Storage area
When first run W32/Tilebot-X copies itself to <Windows>\smrss.exe and
creates the file <System>\rofl.sys.
The file rofl.sys is detected as Troj/RKPort-Fam.
The file smrss.exe is registered as a new system driver service named
"Windows Smrss Service", with a display name of
"Windows Smrss Service" and a startup type of automatic, so that it
is started automatically during system startup. Registry entries are
created under:
HKLM\SYSTEM\CurrentControlSet\Services\Windows Smrss Service\
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_SMRSS_SERVICE\
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ROFL
The file rofl.sys is registered as a new system driver service named
"rofl", with a display name of "rofl". Registry entries are created
under:
HKLM\SYSTEM\CurrentControlSet\Services\rofl\
W32/Tilebot-X sets the following registry entries, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4
Registry entries are set as follows:
HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusDisableNotify
1
HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusOverride
1
HKLM\SOFTWARE\Microsoft\Security Center
FirewallDisableNotify
1
HKLM\SOFTWARE\Microsoft\Security Center
FirewallOverride
1
HKLM\SOFTWARE\Microsoft\Security Center
UpdatesDisableNotify
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update
AUOptions
1
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall
0
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall
0
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1
HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
Start
4
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
HKLM\SYSTEM\CurrentControlSet\Control\ServiceCurrent
(default)
8
The following patches for the operating system vulnerabilities
exploited by W32/Tilebot-X can be obtained from the Microsoft website:
MS04-011
MS04-012
MS05-039
MS04-007
Name W32/Bagle-AN
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* W32/Bagle.df@MM
* mail-Worm.Win32.Bagle.dx
Prevalence (1-5) 2
Description
W32/Bagle-AN is a worm for the Windows platform.
W32/Bagle-AN spreads via file sharing on Peer-to-peer networks and
via email.
W32/Bagle-AN includes functionality to download, install and run new
software.
W32/Bagle-AN then creates copies of itself in all folders containing
the substring SHAR on all drives.
W32/Bagle-AN also spreads by email. The email addresses are collected
from files on the system containing the following file extensions:
WAB, TXT, MSG, HTM, SHTM, STM, XML, DBX, MBX, MDX, EML, NCH, MMF, ODS,
CFG, ASP, PHP, PL, WSH, ADB, TBB, SHT, XLS, OFT, UIN, CGI, MHT, DHTM,
JSP.
The worm arrives as an attachment to an HTML email message.
The basename of the attachment is choosen from the following list:
Information
Details
text_document
Updates
Readme
Document
Info
Details
MoreInfo
Message
The email message has the following characteristics:
Subject line:
Re: Msg reply
Re: Hello
Re: Yahoo!
Re: Thank you!
Re: Thanks :)
RE: Text message
Re: Document
Incoming message
Re: Incoming Message
RE: Incoming Msg
RE: Message Notify
Notification
Changes..
Update
Fax Message
Protected message
RE: Protected message
Forum notify
Site changes
Re: Hi
Encrypted document
Message text:
Read the attach.
Your file is attached.
More info is in attach
See attach.
Please, have a look at the attached file.
Your document is attached.
Please, read the document.
Attach tells everything.
Attached file tells everything.
Check attached file for details.
Check attached file.
Pay attention at the attach.
See the attached file for details.
Message is in attach
Here is the file.
Advanced
W32/Bagle-AN is a worm for the Windows platform.
W32/Bagle-AN spreads via file sharing on Peer-to-peer networks and
via email.
W32/Bagle-AN includes functionality to download, install and run new
software.
When first run, W32/Bagle-AN copies itself to <System>\winhost.exe
and creates the following registry entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
winhost.exe
<System>\winhost.exe
W32/Bagle-AN then creates copies of itself in all folders containing
the substring SHAR on all drives.
The worm uses the following filesnames:
"Microsoft Office 2003 Crack, Working!.exe"
"Microsoft Windows XP, WinXP Crack, working Keygen.exe"
"Norton Antivirus, working Keygen.exe"
"Microsoft Office XP working Crack, Keygen.exe"
"Porno, sex, oral, anal cool, awesome!!.exe"
"Porno Screensaver.scr"
"Serials.txt.exe"
"Kaspersky Antivirus 5.0"
"Porno pics arhive, xxx.exe"
"Windows Sourcecode update.doc.exe"
"Ahead Nero 7.exe"
"Windown Longhorn Beta Leak.exe"
"Opera 8 New!.exe"
"XXX hardcore images.exe"
"WinAmp 6 New!.exe"
"WinAmp 5 Pro Keygen Crack Update.exe"
"Adobe Photoshop 9 full.exe"
"Matrix 3 Revolution English Subtitles.exe"
"Doom3_nocd.exe"
"HalfLife2_noCD.exe"
"12 year old Katia sucks and fucks me in lots of positions. (teen
preteen anal cumshot sex young whore school lolita.avi .exe"
W32/Bagle-AN spreads by email. The email addresses are collected from
files on the system containing the following file extensions:
WAB, TXT, MSG, HTM, SHTM, STM, XML, DBX, MBX, MDX, EML, NCH, MMF, ODS,
CFG, ASP, PHP, PL, WSH, ADB, TBB, SHT, XLS, OFT, UIN, CGI, MHT, DHTM,
JSP.
The worm arrives as an attachment to an HTML email message.
The basename of the attachment is choosen from the following list:
Information
Details
text_document
Updates
Readme
Document
Info
Details
MoreInfo
Message
The email message has the following characteristics:
Subject line:
Re: Msg reply
Re: Hello
Re: Yahoo!
Re: Thank you!
Re: Thanks :)
RE: Text message
Re: Document
Incoming message
Re: Incoming Message
RE: Incoming Msg
RE: Message Notify
Notification
Changes..
Update
Fax Message
Protected message
RE: Protected message
Forum notify
Site changes
Re: Hi
Encrypted document
Message text:
Read the attach.
Your file is attached.
More info is in attach
See attach.
Please, have a look at the attached file.
Your document is attached.
Please, read the document.
Attach tells everything.
Attached file tells everything.
Check attached file for details.
Check attached file.
Pay attention at the attach.
See the attached file for details.
Message is in attach
Here is the file.
W32/Bagle-AN also attempts to terminate security related processes on
an infected computer.
Registry entries are created under:
HKCU\Software\Timeout\
Name W32/Kassbot-H
Type
* Spyware Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Modifies data on the computer
* Deletes files off the computer
* Steals information
* Downloads code from the internet
Prevalence (1-5) 2
Description
W32/Kassbot-H is a worm and backdoor Trojan for the Windows platform.
W32/Kassbot-H runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer.
W32/Kassbot-H includes functionality to access the internet and
communicate with a remote server via HTTP and IRC.
W32/Kassbot-H may send an email to a pre-defined email address
containing system information from the infected computer.
W32/Kassbot-H will monitor a user's internet access. When certain
internet sites are accessed, the worm will redirect the user to a
website with fake login pages or email the stolen details to a
pre-specified email address.
W32/Kassbot-H will attempt to spread by exploiting the LSASS (MS04-011)
exploits. The following patch for the operating system vulnerability
exploited by W32/Kassbot-H can be obtained from the Microsoft website:
MS04-011
Advanced
W32/Kassbot-H is a worm and backdoor Trojan for the Windows platform.
W32/Kassbot-H runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer.
W32/Kassbot-H includes functionality to access the internet and
communicate with a remote server via HTTP and IRC.
When first run W32/Kassbot-H copies itself to <System>\spools.exe and
creates the file <System>\xbccd.log. The file xbccd.log may be deleted.
The following registry entry is created to run spools.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Spools Service Controller
<System>\spools.exe
W32/Kassbot-H may send an email to a pre-defined email address
containing system information from the infected computer.
W32/Kassbot-H will monitor a user's internet access. When certain
internet sites are accessed, the worm will redirect the user to a
website with fake login pages or email the stolen details to a
pre-specified email address.
W32/Kassbot-H will attempt to spread by exploiting the LSASS (MS04-011)
exploits. The following patch for the operating system vulnerability
exploited by W32/Kassbot-H can be obtained from the Microsoft website:
MS04-011
W32/Kassbot-H will append the following lines to the HOSTS file in an
attempt to block access to anti-virus related websites:
d-ru-1f.kaspersky-labs.com
d-ru-1h.kaspersky-labs.com
d-ru-2f.kaspersky-labs.com
d-ru-2h.kaspersky-labs.com
d-eu-2f.kaspersky-labs.com
d-eu-2h.kaspersky-labs.com
d-eu-1f.kaspersky-labs.com
d-eu-1h.kaspersky-labs.com
d-us-1f.kaspersky-labs.com
d-us-1h.kaspersky-labs.com
downloads1.kaspersky.ru
downloads2.kaspersky.ru
downloads3.kaspersky.ru
downloads4.kaspersky.ru
downloads5.kaspersky.ru
www.kaspersky.ru
kaspersky.ru
kaspersky-labs.com
www.kaspersky-labs.com
Name Troj/GrayBrd-AC
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
Aliases
* Backdoor.Win32.Hupigon.hi
Prevalence (1-5) 2
Description
Troj/GrayBrd-AC is a Trojan for the Windows platform.
Troj/GrayBrd-AC includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
Troj/GrayBrd-AC is a Trojan for the Windows platform.
Troj/GrayBrd-AC includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run Troj/GrayBrd-AC copies itself to
<System>\RavExt\winlogo.exe.
The file winlogo.exe is registered as a new system driver service
named "Internet", with a display name of "Windows Internet/Server"
and a startup type of automatic, so that it is started automatically
during system startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\Internet\
Name W32/Mytob-ET
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Sends itself to email addresses found on the infected computer
* Modifies data on the computer
Prevalence (1-5) 2
Description
W32/Mytob-ET is a mass-mailing worm and IRC backdoor Trojan.
W32/Mytob-ET runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Mytob-ET can spread by sending itself as an email attachment to
email addresses harvested from the infected computer.
Emails sent by the worm have characteristics from the following:
Subject lines:
Your password has been updated
Your password has been successfully updated
You have successfully updated your password
Your new account password is approved
Your Account is Suspended
*DETECTED* Online User Violation
Your Account is Suspended For Security Reasons
Warning Message: Your services near to be closed.
Important Notification
Members Support
Security measures
Email Account Suspension
Notice of account limitation
or random characters
Message text - one of the following:
The worm will insert the username and the email domain of the
adresssee into the email.
Dear user <UserName>,
You have successfully updated the password of your <domain> account.
If you did not authorize this change or if you need assistance with
your account, please contact <domain> customer service at:
<sender@domain>
Thank you for using <domain>!
The <domaim> Support Team
+++ Attachment: No Virus (Clean)
+++ <domain> Antivirus - www.<domain>
Dear user <UserName>,
It has come to our attention that your <domain> User Profile ( x )
records are out of date. For further details see the attached document.
Thank you for using <domain>!
The <domain> Support Team
+++ Attachment: No Virus (Clean)
+++ <domain> Antivirus - www.<domain>
Dear <domain> Member,
We have temporarily suspended your email account <UserEmailAddress>.
This might be due to either of the following reasons:
1. A recent change in your personal information (i.e. change of
address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of
subscription due to an internal error within our processors.
See the details to reactivate your <domain> account.
Sincerely,The <domain> Support Team
+++ Attachment: No Virus (Clean)
+++ <domain> Antivirus - www.<domain>
Dear <domain> Member,
Your e-mail account was used to send a huge amount of unsolicited
spam messages during the recent week. If you could please take 5-10
minutes out of your online experience and confirm the attached
document so you will not run into any future problems with the online
service.
If you choose to ignore our request, you leave us no choice but to
cancel your membership.
Virtually yours,
The <domain> Support Team
+++ Attachment: No Virus found
+++ <domain> Antivirus - www.<domain>
Attachment name:
updated-password
email-password
new-password
password
approved-password
account-password
accepted-password
important-details
account-details
email-details
account-info
document
readme
account-report
or random characters
The zip file will contain the worm with double extension. The first
extension will be one of doc, htm, txt followed by spaces and the
second extension is exe, scr or pif.
Advanced
W32/Mytob-ET is a mass-mailing worm and IRC backdoor Trojan.
W32/Mytob-ET runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
When first run W32/Mytob-ET copies itself to <System>\hpmanager.exe.
The following registry entries are created to run hpmanager.exe on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Hewlett Packard Manager
hpmanager.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Hewlett Packard Manager
hpmanager.exe
W32/Mytob-ET sets the following registry entries, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4
W32/Mytob-ET can spread by sending itself as an email attachment to
email addresses harvested from the infected computer.
Emails sent by the worm have characteristics from the following:
Subject lines:
Your password has been updated
Your password has been successfully updated
You have successfully updated your password
Your new account password is approved
Your Account is Suspended
*DETECTED* Online User Violation
Your Account is Suspended For Security Reasons
Warning Message: Your services near to be closed.
Important Notification
Members Support
Security measures
Email Account Suspension
Notice of account limitation
or random characters
Message text - one of the following:
The worm will insert the username and the email domain of the
adresssee into the email.
Dear user <UserName>,
You have successfully updated the password of your <domain> account.
If you did not authorize this change or if you need assistance with
your account, please contact <domain> customer service at:
<sender@domain>
Thank you for using <domain>!
The <domaim> Support Team
+++ Attachment: No Virus (Clean)
+++ <domain> Antivirus - www.<domain>
Dear user <UserName>,
It has come to our attention that your <domain> User Profile ( x )
records are out of date. For further details see the attached document.
Thank you for using <domain>!
The <domain> Support Team
+++ Attachment: No Virus (Clean)
+++ <domain> Antivirus - www.<domain>
Dear <domain> Member,
We have temporarily suspended your email account <UserEmailAddress>.
This might be due to either of the following reasons:
1. A recent change in your personal information (i.e. change of
address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of
subscription due to an internal error within our processors.
See the details to reactivate your <domain> account.
Sincerely,The <domain> Support Team
+++ Attachment: No Virus (Clean)
+++ <domain> Antivirus - www.<domain>
Dear <domain> Member,
Your e-mail account was used to send a huge amount of unsolicited
spam messages during the recent week. If you could please take 5-10
minutes out of your online experience and confirm the attached
document so you will not run into any future problems with the online
service.
If you choose to ignore our request, you leave us no choice but to
cancel your membership.
Virtually yours,
The <domain> Support Team
+++ Attachment: No Virus found
+++ <domain> Antivirus - www.<domain>
Attachment name:
updated-password
email-password
new-password
password
approved-password
account-password
accepted-password
important-details
account-details
email-details
account-info
document
readme
account-report
or random characters
The zip file will contain the worm with double extension. The first
extension will be one of doc, htm, txt followed by spaces and the
second extension is exe, scr or pif.
W32/Mytob-ET attempts to terminate a large number of processes
related to security and anti-virus programs.
W32/Mytob-ET also modifies the Windows hosts file in order to block
access to the following websites:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 pandasoftware.com
127.0.0.1 www.pandasoftware.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.microsoft.com
127.0.0.1 microsoft.com
127.0.0.1 www.virustotal.com
127.0.0.1 virustotal.com
127.0.0.1 www.amazon.com
127.0.0.1 www.amazon.co.uk
127.0.0.1 www.amazon.ca
127.0.0.1 www.amazon.fr
127.0.0.1 www.paypal.com
127.0.0.1 paypal.com
127.0.0.1 moneybookers.com
127.0.0.1 www.moneybookers.com
127.0.0.1 www.ebay.com
127.0.0.1 ebay.com
Name Troj/Sisery-A
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Modifies data on the computer
* Deletes files off the computer
* Steals information
* Reduces system security
* Records keystrokes
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/Sisery-A is a Trojan for the Windows platform.
The Trojan is a nuisance program which modifies the default behaviors
of Microsoft Windows and several applications.
Advanced
Troj/Sisery-A is a Trojan for the Windows platform.
The Trojan is a nuisance program which modifies the default behaviors
of Microsoft Windows and several applications. Troj/Sisery-A may make
the following changes to the infected computer:
- offset the Desktop wallpaper to the lower right
- remove the "log off" option from the shutdown menu
- display a message box entitled "DANGER" on user login
- change the title of Internet Explorer
- create a folder in the root folder containing "WINDOWS" and
non-printable characters
- cause a long delay before the Start menu (and any sub-menus) appears
- disables the context menu
- disables the control pane
|