Text 69, 1314 rader
Skriven 2005-10-30 19:30:00 av KURT WISMER (1:123/140)
Ärende: News, October 30 2005
=============================
[cut-n-paste from sophos.com]
Name Troj/Hanlo-B
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Drops more malware
* Downloads code from the internet
Aliases
* Trojan-Downloader.Win32.Hanlo.b
* Downloader-AGH
* TROJ_DLOADER.AJQ
Prevalence (1-5) 2
Description
Troj/Hanlo-B is a Trojan for the Windows platform.
Troj/Hanlo-B includes functionality to access the internet and
communicate with a remote server via HTTP.
Troj/Hanlo-B downloads the following files:
tBmp107.exe
tBmp207.exe
tBmp307.exe
tBmp407.exe
tBmp507.exe
tBmp607.exe
tBmp707.exe
Advanced
Troj/Hanlo-B is a Trojan for the Windows platform.
Troj/Hanlo-B includes functionality to access the internet and
communicate with a remote server via HTTP.
Troj/Hanlo-B downloads the following files:
tBmp107.exe
tBmp207.exe
tBmp307.exe
tBmp407.exe
tBmp507.exe
tBmp607.exe
tBmp707.exe
Troj/Hanlo-B creates the following file:
<System>\avA6.sys
The file avA6.sys is detected as Troj/Haxdor-Gen.
The file avA6.sys is registered as a new system driver service named
"avA6", with a display name of "AVP update interface A6". Registry
entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\avA6\
Name W32/Rbot-ATC
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Used in DOS attacks
Aliases
* Backdoor.Win32.Rbot.nt
* BKDR_SDBOT.ON
Prevalence (1-5) 2
Description
W32/Rbot-ATC is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Rbot-ATC spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM
(MS04-012) and WKS (MS03-049) (CAN-2003-0812) and by copying itself
to network shares protected by weak passwords.
W32/Rbot-ATC runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Rbot-ATC includes functionality to:
- carry out DDoS flooder attacks
- silently download, install and run new software, including updates
of its software
The following patches for the operating system vulnerabilities
exploited by W32/Rbot-ATC can be obtained from the Microsoft website:
MS04-011
MS04-012
MS03-049
Advanced
W32/Rbot-ATC is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Rbot-ATC spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM
(MS04-012) and WKS (MS03-049) (CAN-2003-0812) and by copying itself
to network shares protected by weak passwords.
W32/Rbot-ATC runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Rbot-ATC includes functionality to:
- carry out DDoS flooder attacks
- silently download, install and run new software, including updates
of its software
When first run W32/Rbot-ATC copies itself to <System>\MSAOL32dll.exe.
The following registry entries are created to run MSAOL32dll.exe on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
AOL Instant Messenger dll runtime
MSAOL32dll.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
AOL Instant Messenger dll runtime
MSAOL32dll.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
AOL Instant Messenger dll runtime
MSAOL32dll.exe
The following patches for the operating system vulnerabilities
exploited by W32/Rbot-ATC can be obtained from the Microsoft website:
MS04-011
MS04-012
MS03-049
Name Troj/Midrug-B
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
Aliases
* BackDoor-AYE
Prevalence (1-5) 2
Description
Troj/Midrug-B is a Trojan for the Windows platform. It may attempt to
connect to a remote server.
Advanced
Troj/Midrug-B is a Trojan for the Windows platform. It may attempt to
connect to a remote server.
Troj/Midrug-B is capabable of creating a registry entry to auto start
itself under:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Name W32/Mytob-BZ
Type
* Spyware Worm
How it spreads
* Email attachments
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Sends itself to email addresses found on the infected computer
* Modifies data on the computer
* Steals information
* Drops more malware
Prevalence (1-5) 2
Description
W32/Mytob-BZ is a mass-mailing worm and backdoor Trojan that can be
controlled through the Internet Relay Chat (IRC) network.
W32/Mytob-BZ is capable of spreading through email and through
various operating system vulnerabilities such as LSASS (MS04-011).
W32/Mytob-BZ harvests email addresses from files on the infected
computer and from the Windows address book.
Advanced
W32/Mytob-BZ is a mass-mailing worm and backdoor Trojan that can be
controlled through the Internet Relay Chat (IRC) network.
When first run W32/Mytob-BZ copies itself to the Windows system
folder as taskgmr.exe and creates the following registry entries:
HKCU\System\CurrentControlSet\Control\Lsa
W1NTASK
taskgmr.exe
HKCU\Software\Microsoft\OLE
W1NTASK
taskgmr.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
W1NTASK
taskgmr.exe
HKLM\System\CurrentControlSet\Control\Lsa
W1NTASK
taskgmr.exe
HKLM\Software\Microsoft\Ole
W1NTASK
taskgmr.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
W1NTASK
taskgmr.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
W1NTASK
taskgmr.exe
W32/Mytob-BZ copies itself to the root folder as:
funny_pic.scr
my_photo2005.scr
see_this!!.scr
and drops a file called hellmsn.exe (detected by Sophos as W32/Mytob-D)
in the same location. This component attempts to spread the worm by
sending the aforementioned SCR files through Windows Messenger to all
online contacts.
W32/Mytob-BZ also appends the following to the HOSTS file to deny
access to security related websites:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.trendmicro.com
W32/Mytob-BZ is capable of spreading through email and through
various operating system vulnerabilities such as LSASS (MS04-011).
Email sent by W32/Mytob-BZ has the following properties:
Subject line:
document
Good day
Mail Delivery System
Mail Transaction Failed
message
readme
Server Report
Status
Message text:
'This is a multi-part message in MIME format.'
'Mail transaction failed. Partial message is available.'
'The message contains Unicode characters and has been sent as a
binary attachment.'
'The message cannot be represented in 7-bit ASCII encoding and has
been sent as a binary attachment.'
'The original message was included as an attachment.'
'Here are your banks documents.'
The attached file consists of a base name followed by the extentions
PIF, SCR, EXE or ZIP. The worm may optionally create double
extensions where the first extension is DOC, TXT or HTM and the final
extension is PIF, SCR, EXE or ZIP.
W32/Mytob-BZ harvests email addresses from files on the infected
computer and from the Windows address book. The worm avoids sending
email to addresses that contain the following:
.gov
.mil
accoun
acketst
admin
anyone
arin.
avp
berkeley
borlan
bsd
bsd
bugs
ca
certific
contact
example
feste
fido
foo.
fsf.
gnu
gold-certs
google
google
gov.
help
iana
ibm.com
icrosof
icrosoft
ietf
info
inpris
isc.o
isi.e
kernel
linux
linux
listserv
math
me
mit.e
mozilla
mydomai
no
nobody
nodomai
noone
not
nothing
ntivi
page
panda
pgp
postmaster
privacy
rating
rfc-ed
ripe.
root
ruslis
samples
secur
sendmail
service
site
soft
somebody
someone
sopho
submit
support
syma
tanford.e
the.bat
unix
unix
usenet
utgers.ed
webmaster
you
your
Name W32/Rbot-ATE
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Win32.Rbot.aci
Prevalence (1-5) 2
Description
W32/Rbot-ATE is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Rbot-ATE spreads to network shares with weak passwords and by
exploiting common buffer overflow vulnerabilities, including: RPC-DCOM
(MS04-012), PNP (MS05-039) and ASN.1 (MS04-007).
W32/Rbot-ATE runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
Advanced
W32/Rbot-ATE is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Rbot-ATE spreads to network shares with weak passwords and by
exploiting common buffer overflow vulnerabilities, including: RPC-DCOM
(MS04-012), PNP (MS05-039) and ASN.1 (MS04-007).
W32/Rbot-ATE runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
When first run W32/Rbot-ATE copies itself to <System>\hhs32.pif.
The following registry entries are created to run hhs32.pif on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HTML32 Help System
hhs32.pif
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HTML32 Help System
hhs32.pif
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HTML32 Help System
hhs32.pif
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
HTML32 Help System
hhs32.pif
Registry entries are set as follows:
HKLM\SOFTWARE\Microsoft\OLE
HTML32 Help System
hhs32.pif
HKCU\Software\Microsoft\OLE
HTML32 Help System
hhs32.pif
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
HTML32 Help System
hhs32.pif
HKCU\SYSTEM\CurrentControlSet\Control\Lsa
HTML32 Help System
hhs32.pif
Name Troj/Keylog-AP
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
* Forges the sender's email address
* Uses its own emailing engine
* Records keystrokes
* Installs itself in the Registry
Aliases
* Trojan-Dropper.Win32.Agent.zf
Prevalence (1-5) 2
Description
Troj/Keylog-AP is a keylogging Trojan for the Windows platform.
Advanced
Troj/Keylog-AP is a keylogging Trojan for the Windows platform.
When Troj/Keylog-AP is installed it creates the file
<System>\wcsys.exe.
The following registry entry is created to run wcsys.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
wcsys
<System>\wcsys.exe
Troj/Keylog-AP creates a file named wcsys.dll in the Windows system
folder. This file is detected as Troj/Keylog-AC.
The Trojan may inject itself into the explorer process or register
itself as a service process in order to prevent itself from being
terminated.
Troj/Keylog-AP records keystrokes to the file wcsys32.dll in the
Windows system folder. When this file becomes larger than 4kb, its
contents are submitted to the author by email.
Name W32/Agobot-TW
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Prevalence (1-5) 2
Description
W32/Agobot-TW is a worm and backdoor Trojan for the Windows platform.
W32/Agobot-TW runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer.
W32/Agobot-TW spreads via common buffer overflow exploits, including
LSASS (MS04-011), RPC-DCOM (MS04-012), and PNP (MS05-039), as well as
to weakly protected network shares.
Advanced
W32/Agobot-TW is a worm and backdoor Trojan for the Windows platform.
W32/Agobot-TW runs continuously in the background, providing a
backdoor server
which allows a remote intruder to gain access and control over the
computer.
W32/Agobot-TW spreads via common buffer overflow exploits, including
LSASS (MS04-011), RPC-DCOM (MS04-012), and PNP (MS05-039), as well as
to weakly protected network shares.
When first run W32/Agobot-TW copies itself to <System>\msn5.exe.
The following registry entries are created to run msn5.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Video Process
msn5.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Video Process
msn5.exe
The file msn5.exe is registered as a new file system driver service
named "Video Process", with a display name of "Video Process" and a
startup type of automatic, so that it is started automatically during
system startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\Video Process\
Name W32/Chode-J
Type
* Worm
How it spreads
* Chat programs
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Installs itself in the Registry
* Used in DOS attacks
Aliases
* Backdoor.Win32.Virkel.a
Prevalence (1-5) 2
Description
W32/Chode-J is a worm with IRC backdoor Trojan functionality.
W32/Chode-J attempts to spread via MSN Instant Messenger and AOL
Instant Messenger, by sending users a link to a copy of the worm.
W32/Chode-J includes functionality to:
- carry out DDoS flooder attacks
- provide a proxy server
- silently download, install and run new software
- modify the HOSTS file
- disable other software, including anti-virus, firewall and security
related application
- update itself
W32/Chode-J attempts to disable a number of AV and security related
processes.
W32/Chode-J modifies the HOSTS file, changing the URL-to-IP mappings
for selected websites.
Advanced
W32/Chode-J is a worm with IRC backdoor Trojan functionality.
W32/Chode-J attempts to spread via MSN Instant Messenger and AOL
Instant Messenger, by sending users a link to a copy of the worm.
W32/Chode-J includes functionality to:
- carry out DDoS flooder attacks
- provide a proxy server
- silently download, install and run new software
- modify the HOSTS file
- disable other software, including anti-virus, firewall and security
related application
- update itself
When first run W32/Chode-J copies itself to
<System>\<random>\csrss.exe and also creates the file csrss.lnk to
the <Startup> folder.
The following registry entries are created:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
csrss
"<System>\<random>\csrss.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
csrss
"<Program Files>\<Messenger>\msmsgs.exe /background"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
csrss
"nwiz.exe /installquiet"
W32/Chode-J modifies a number of registry entries as the following:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
load
"<System>\<random>\csrss.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
2
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
SuperHidden
0
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
DisableSR
1
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\srservice
Start
4
W32/Chode-J also inserts the following entry into [Windows] section
of <Windows>\win.ini:
run=<System>\<random\csrss.exe
load=<System>\<random\csrss.exe
W32/Chode-J modifies the HOSTS file, changing the URL-to-IP mappings
for selected websites, therefore preventing normal access to these
sites. The new HOSTS file will typically contain the following:
127.0.0.1 avp.com
127.0.0.1 www.avp.com
127.0.0.1 ca.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 f-secure.com
127.0.0.1 fastclick.net
127.0.0.1 ftp.f-secure.com
127.0.0.1 ftp.sophos.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 mast.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 nai.com
127.0.0.1 networkassociates.com
127.0.0.1 secure.nai.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 service1.symantec.com
127.0.0.1 sophos.com
127.0.0.1 support.microsoft.com
127.0.0.1 symantec.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 vil.nai.com
127.0.0.1 viruslist.com
127.0.0.1 www.viruslist.com
127.0.0.1 www.awaps.net
127.0.0.1 www.ca.com
127.0.0.1 www.f-secure.com
127.0.0.1 www.fastclick.net
127.0.0.1 www.mcafee.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.my-etrust.com
127.0.0.1 www.nai.com
127.0.0.1 www.networkassociates.com
127.0.0.1 www.sophos.com
127.0.0.1 www.symantec.com
127.0.0.1 www3.ca.com
127.0.0.1 www.grisoft.com
127.0.0.1 grisoft.com
127.0.0.1 housecall.trendmicro.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.pandasoftware.com
127.0.0.1 pandasoftware.com
127.0.0.1 kaspersky.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.zonelabs.com
127.0.0.1 zonelabs.com
127.0.0.1 www.spywareinfo.com
127.0.0.1 spywareinfo.com
127.0.0.1 www.merijn.org
127.0.0.1 merijn.org
W32/Chode-J attempts to disable the following processes:
MCAgentExe
navapsvc
ccEvtMgr
SNDSrvc
ccProxy
ccPwdSvc
ccSetMgr
SPBBCSvc
SAVScan
SBService
SmcService
OutpostFirewall
CAISafe
PcCtlCom
tmproxy
Tmntsrv
net stop
sc config
start= disabled
CleanUp
MCUpdateExe
VirusScan Online
VSOCheckTask
Symantec NetDriver Monitor
Outpost Firewall
gcasServ
pccguide.exe
KAVPersonal50
Zone Labs Client
services
mpftray.exe
microsoft antispyware*
hijackthis*
msconfig.exe
kav.exe
kavsvc.exe
mcvsshld.exe
mcagent.exe
mcvsrte.exe
mcshield.exe
mcvsftsn.exe
mcdash.exe
mcvsescn.exe
mcinfo.exe
mpfagent.exe
CIzh_DataArrival'
mpfservice.exe
mskagent.exe
mcmnhdlr.exe
sndsrvc.exe
usrprmpt.exe
ccapp.exe
ccevtmgr.exe
spbbcsvc.exe
ccsetmgr.exe
symlcsvc.exe
npfmntor.exe
navapsvc.exe
issvc.exe
ccproxy.exe
tmpfw.exe
navapw32.exe
navw32.exe
smc.exe
outpost.exe
zlclient.exe
vsmon.exe
isafe.exe
pandaavengine.exe
regedit.exe
hijackthis.exe
gcasdtserv.exe
gcasserv.exe
pcctlcom.exe
tmntsrv.exe
tmproxy.exe
pcclient.exe
ethereal.exe
wpe pro.exe
nat.exe
winsp3.exe
Name W32/Rbot-ATL
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Win32.Rbot.gen
* W32.Spybot.Worm
* WORM_RBOT.CMT
Prevalence (1-5) 2
Description
W32/Rbot-ATL is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Rbot-ATL spreads:
- to other network computers by exploiting common buffer overflow
vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012),
WKS (MS03-049) (CAN-2003-0812), WINS (MS04-045), Dameware
(CAN-2003-1030), MSSQL (MS02-039) (CAN-2002-0649) and PNP (MS05-039)
- to other network computers running MSSQL servers protected by weak
passwords
- by copying itself to network shares protected by weak passwords
W32/Rbot-ATL runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
Advanced
W32/Rbot-ATL is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Rbot-ATL spreads:
- to other network computers by exploiting common buffer overflow
vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012),
WKS (MS03-049) (CAN-2003-0812), WINS (MS04-045), Dameware
(CAN-2003-1030), MSSQL (MS02-039) (CAN-2002-0649) and PNP (MS05-039)
- to other network computers running MSSQL servers protected by weak
passwords
- by copying itself to network shares protected by weak passwords
W32/Rbot-ATL runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
When first run W32/Rbot-ATL copies itself to
<System>\msnq3insller.exe.
The following registry entries are created to run msnq3insller.exe on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MS Unix Binary
msnq3insller.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
MS Unix Binary
msnq3insller.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MS Unix Binary
msnq3insller.exe
Name Troj/Dloader-XF
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/Dloader-XF is a Trojan for the Windows platform.
Advanced
Troj/Dloader-XF is a Trojan for the Windows platform.
When Troj/Dloader-XF is installed it creates and executes the file
<System>\run.dll without notifying the user. The Trojan will also
attempt to download files from a remote URL to the locations:
<System>\q4.pak
<System>\prc.exe
The file run.dll is also detected as Troj/Dloader-XF.
The following registry entry is created to run the exported code on
startup using the name SecurePatch:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
SharedTaskScheduler
(2F212B1B-1313-1BBC-02A8-7CA23A23E13F)
SecurePatch
The following registry entry is set:
HKCU\Software\Classes\CLSID\(2F212B1B-1313-1BBC-02A8-7CA23A23E13F)\
InProcServer32
(default)
<System>\run.dll
Registry entries are created under:
HKCU\Software\Classes\CLSID\(2F212B1B-1313-1BBC-02A8-7CA23A23E13F)\
InProcServer32\
Troj/Dloader-XF will attempt to delete registry entries under:
HKLM/SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
SharedTaskScheduler
Windows Update
Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
Windows Update
Name W32/Sdbot-ZM
Type
* Spyware Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Modifies data on the computer
* Deletes files off the computer
* Steals information
Aliases
* Backdoor.Win32.SdBot.yx
Prevalence (1-5) 2
Description
W32/Sdbot-ZM is a network worm with backdoor Trojan functionality for
the Windows platform.
The worm spreads through network shares protected by weak passwords,
MS-SQL servers and through various operating system vulnerabilities.
W32/Sdbot-ZM connects to a predetermined IRC channel and awaits
further commands from remote users.
Advanced
W32/Sdbot-ZM is a network worm with backdoor Trojan functionality for
the Windows platform.
When first run, W32/Sdbot-ZM copies itself to the Windows system
folder as nawdll32.exe and creates the following registry entries in
order to run each time a user logs on:
HKLM\SOFTWARE\Microsoft\Ole
nawdll32
"nawdll32.exe"
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
nawdll32
"nawdll32.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
nawdll32
"nawdll32.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
nawdll32
"nawdll32.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
nawdll32
"nawdll32.exe"
HKCU\Software\Microsoft\OLE
nawdll32
"nawdll32.exe"
HKCU\System\CurrentControlSet\Control\Lsa
nawdll32
"nawdll32.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
nawdll32
"nawdll32.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
nawdll32
"nawdll32.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
nawdll32
"nawdll32.exe"
The worm spreads through network shares protected by weak passwords,
MS-SQL servers and through various operating system vulnerabilities.
W32/Sdbot-ZM connects to a predetermined IRC channel and awaits
further commands from remote users. The backdoor component of
W32/Sdbot-ZM can be instructed to perform the following functions:
scan networks for vulnerabilities
download/execute arbitrary files
start an ftp server
Patches for the vulnerabilities exploited by W32/Sdbot-ZM can be
obtained from Microsoft at:
http://www.microsoft.com/technet/security/bulletin/MS02-039.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx
Name W32/Randex-Y
Type
* Worm
Aliases
* WORM_RANDEX.GEN
* Backdoor.IRCBot.gen
Prevalence (1-5) 2
Description
W32/Randex-Y is a network worm with backdoor capabilities which
allows a remote intruder to access and control the computer via IRC
channels.
W32/Randex-Y chooses IP addresses at random and tries to connect to
the IPC$ share using simple passwords. If the connection is
successful the worm copies itself to the following remote locations:
\ADMIN$\system32\msnv32.exe
\C$\WINNT\system32\msnv32.exe
W32/Randex-Y then schedules a job to execute the remotely created
files.
Each time the worm is run it tries to connect to a remote IRC server
and join a specific channel. The worm then runs in the background as
a server process listening for commands to execute.
When first run the worm copies itself to the Windows system folder as
IRBMe.exe and adds the following registry entries to point to this
copy of the worm to ensure it is run at system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\IRBMe Sucks!!
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\IRBMe Sucks!!
W32/Randex-Y may also create the file remove.bat in the Windows temp
folder. This file is not malicious and can simply be deleted.
Name W32/Rbot-AUF
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
Aliases
* W32/Sdbot.worm.gen.l
* W32.Spybot.Worm
* WORM_SPYBOT.AHZ
Prevalence (1-5) 2
Description
W32/Rbot-AUF is a worm and IRC backdoor for the Windows platform.
W32/Rbot-AUF runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
Advanced
W32/Rbot-AUF is a worm and IRC backdoor for the Windows platform.
W32/Rbot-AUF runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
When first run W32/Rbot-AUF copies itself to
<Windows system folder>\msconfig32.exe.
The following registry entries are created to run msconfig32.exe on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MS-patch
msconfig32.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
MS-patch
msconfig32.exe
Registry entries are set as follows:
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
Name Troj/Agent-EU
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Installs itself in the Registry
* Used in DOS attacks
Aliases
* Backdoor.Win32.Agent.oo
* MultiDropper-JD
Prevalence (1-5) 2
Description
Troj/Agent-EU is a Trojan for the Windows platform.
Troj/Agent-EU can steal information and may attempt to hide its files.
The Trojan can make contact with a remote internet site, and may be
used in DDoS attacks.
Advanced
Troj/Agent-EU is a Trojan for the Windows platform.
Troj/Agent-EU can steal information and may attempt to hide its files.
The Trojan can make contact with a remote internet site, and may be
used in DDoS attacks.
Troj/Agent-EU may create files named system.exe, libHide.dll,
systemup.exe and vbstub.exe.
Troj/Agent-EU may create a registry entry in order to run
automatically on computer login under:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
explorer
<path to Trojan>
--- MultiMail/Win32 v0.43
* Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)
|