Text 7, 1418 rader
Skriven 2004-10-24 23:50:00 av KURT WISMER (1:123/140)
Ärende: News, Oct. 24 2004
==========================
[cut-n-paste from sophos.com]
Name W32/Forbot-BW
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Deletes files off the computer
* Steals information
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* WORM_WOOTBOT.BM
Prevalence (1-5) 2
Description
W32/Forbot-BW is a network worm with backdoor Trojan functionality.
The worm runs continuously in the background providing backdoor access
to the infected computer.
W32/Forbot-BW spreads by exploiting the LSASS (MS04-011) software
vulnerability. The worm may also spread through backdoors left open by
other malware.
Advanced
W32/Forbot-BW is a network worm with backdoor Trojan functionality.
W32/Forbot-BW spreads by exploiting the LSASS (MS04-011) software
vulnerability. The worm may also spread through backdoors left open by
other malware.
When first run, W32/Forbot-BW copies itself to the Windows System folder
as PKSVC.EXE. In order to run automatically each time Windows is started,
W32/Forbot-BW sets the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
PK Services = pksvc.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\
PK Services = pksvc.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
PK Services = pksvc.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
PK Services = pksvc.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\
PK Services = pksvc.exe
W32/Forbot-BW creates a service named "farm" with the display name of
"PK Services".
The worm runs continuously in the background providing backdoor access
to the infected computer through IRC channels.
The backdoor component of W32/Forbot-BW can be used to:
start an FTP and HTTP server.
delete network shares.
start a SOCKS4, SOCKS5, HTTP, TCP and GRE proxy.
list and stop existing processes and services.
upload, download, run and delete files.
modify the registry.
add and delete services.
steal the product keys of popular games and applications.
scan other computers for open ports and attempt to exploit them.
take part in distributed denial of service (DDOS) attacks.
flush the DNS cache.
logoff, reboot and shut down the computer.
W32/Forbot-BW may delete the ADMIN$, IPC$, C$ and D$ network shares.
W32/Forbot-BW is capable of stealing product keys from the following
games and applications:
Unreal Tournament 2003
Unreal Tournament 2004
The Gladiators
Soldier of Fortune II - Double Helix
Soldiers Of Anarchy
Shogun: Total War: Warlord Edition
Rainbow Six III RavenShield
Neverwinter Nights
Need For Speed Hot Pursuit 2
Need For Speed: Underground
NHL 2002
NHL 2003
Nascar Racing 2002
Nascar Racing 2003
Medal of Honor: Allied Assault
Medal of Honor: Allied Assault: Breakthrough
Medal of Honor: Allied Assault: Spearhead
James Bond 007: Nightfire
Industry Giant 2
IGI 2: Covert Strike
Hidden & Dangerous 2
Half-Life
Gunman Chronicles
Global Operations
Freedom Force
FIFA 2002
FIFA 2003
Counter-Strike
Command and Conquer: Tiberian Sun
Command and Conquer: Red Alert 2
Command and Conquer: Generals (Zero Hour)
Command and Conquer: Generals
Black and White
Battlefield 1942
Battlefield 1942 (Road To Rome)
Battlefield 1942 (Secret Weapons of WWII)
Battlefield Vietnam
Yahoo Pager
AOL Instant Messenger
Call of Duty
Microsoft Messenger Service
Microsoft Windows Product ID
W32/Forbot-BW may alter the following registry entry in order to
enable/disable DCOM:
HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM
W32/Forbot-BW will attempt to disable other malware, such as members of
the W32/Bagle family.
Name W32/Bagz-D
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Sends itself to email addresses found on the infected computer
* Forges the sender's email address
* Uses its own emailing engine
* Downloads code from the internet
Aliases
* I-Worm.Bagz.d
Prevalence (1-5) 3
Description
W32/Bagz-D is mass mailing network worm that also contains a backdoor
which allows an intruder to download and install further components.
W32/Bagz-D will attempt to harvest email addresses from TXT, HTM, DBX,
TBI and TBB files, which it will use for both the to and from addresses
of emails that it sends.
The worm will also attempt to terminate anti-virus software.
Advanced
W32/Bagz-D is mass mailing network worm that also contains a backdoor
which allows an intruder to download and install further components.
W32/Bagz-D will attempt to harvest email addresses from TXT, HTM, DBX,
TBI and TBB files, which it will use for both the to and from addresses
of emails that it sends.
The sent email will have the following characteristics:
Subject line:
ASAP
please responce
Read this
urgent
toxic
contract
Money
office
Have a nice day
Hello
Russian's
Amirecans
attachments
attach
waiting
best regards
Administrator
Warning
text
Vasia
re: Andrey
re: please
re: order
Allert!
Attachment (ZIP format):
backup.zip
admin.zip
archivator.zip
about.zip
readme.zip
help.zip
photos.zip
payment.zip
archives.zip
manual.zip
inbox.zip
outbox.zip
save.zip
rar.zip
zip.zip
ataches.zip
documentation.zip
docs.zip
Attachment (EXE format):
backup.doc (spaces) .exe
admin.doc (spaces) .exe
archivator.doc (spaces) .exe
about.doc (spaces) .exe
readme.doc (spaces) .exe
help.doc (spaces) .exe
photos.doc (spaces) .exe
payment.doc (spaces) .exe
archives.doc (spaces) .exe
manual.doc (spaces) .exe
inbox.doc (spaces) .exe
outbox.doc (spaces) .exe
save.doc (spaces) .exe
rar.doc (spaces) .exe
zip.doc (spaces) .exe
ataches.doc (spaces) .exe
documentation.doc (spaces) .exe
docs.doc (spaces) .exe
sysboot.doc (spaces) .exe
W32/Bagz-D will keep a copy of the files that it sends in the Windows
system32 folder. The worm also drops the following components in to that
folder:
run32.exe (Detected as component of W32/Bagz-C)
rpc32.exe
ipdb.dll
wdate.dll
jobdb.dll
W32/Bagz-D will also modify the %system32%/drivers/etc/hosts file in
order to prevent access to major virus vendors websites.
The worm will install itself as a service called RPC32.
Name JS/Scob-A
Type
* Trojan
Aliases
* JS/Exploit-DialogArg.b
* Trojan.JS.Scob.a
Prevalence (1-5) 2
Description
JS/Scob-A is a JavaScript Trojan that is reported to be appended to HTML
files on IIS machines.
JS/Scob-A downloads a file from a Russian website, this website is no
longer accessible.
Name W32/Baba-A
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Drops more malware
* Forges the sender's email address
* Uses its own emailing engine
* Installs itself in the Registry
* Leaves non-infected files on computer
Aliases
* W32/Netsky-AE
* I-Worm.Baba.b
* W32/Netsky.ai@MM
* W32/Buchon@mm
Prevalence (1-5) 2
Description
W32/Baba-A is a mass-mailing worm.
Advanced
W32/Baba-A is a mass-mailing worm.
When run the worm attempts to create a helper component csrss.exe in the
C:\ folder and executes it. The helper component then creates the
following registry entry so as to auto-start on user logon:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Key Logger = c:\csrss.exe
W32/Baba-A will attempt to harvest email addresses from files on the
infected computer with the following extensions:
DBX WAB MBX EML MDB TBB NBOX DAT
Sent emails are composed as HTML and take the following form:
Subject:
Mail Delivery failure -
Mail body:
If the message will not displayed automatically,
you can check original in attached message.txt
Failed message also saved at:
www.<host>/inbox/security/read.asp?sessionid-<random number>
(check attached instructions)
+++ Attachment: No Virus found
+++ MC-Afee AntiVirus - www.mcafee.com
W32/Baba-A contains the text "SoonChunHyang" and "Bucheon".
Name W32/Rbot-NJ
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Downloads code from the internet
* Reduces system security
* Records keystrokes
Aliases
* Backdoor.Win32.Rbot.gen
Prevalence (1-5) 2
Description
W32/Rbot-NJ is a network worm which contains IRC backdoor Trojan
functionality, allowing unauthorised remote access to the infected
computer.
Advanced
W32/Rbot-NJ is a worm which attempts to spread to remote network shares.
It also contains backdoor Trojan functionality, allowing unauthorised
remote access to the infected computer via IRC channels while running in
the background as a service process.
W32/Rbot-NJ spreads to network shares with weak passwords and via
network security exploits as a result of the backdoor Trojan element
receiving the appropriate command from a remote user.
W32/Rbot-NJ copies itself to the Windows system folder as LOGON.EXE and
creates entries at the following locations in the registry with the
value "update run msword" so as to run itself on system startup,
resetting them every minute:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
W32/Rbot-NJ sets the following registry entries every 2 minutes:
HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM = "N"
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous = "1"
W32/Rbot-NJ attempts to delete network shares on the host computer every
2 minutes.
W32/Rbot-NJ may attempt to log keystrokes to the file REGSNS.TXT in the
Windows system folder.
W32/Rbot-NJ attempts to terminate processes related to the following
files:
regedit.exe
msconfig.exe
netstat.exe
msblast.exe
zapro.exe
navw32.exe
navapw32.exe
zonealarm.exe
wincfg32.exetaskmon.exe [sic]
PandaAVEngine.exe
sysinfo.exe
mscvb32.exe
MSBLAST.exe
teekids.exe
Penis32.exe
bbeagle.exe
SysMonXP.exe
winupd.exe
winsys.exe
ssate.exe
rate.exe
d3dupdate.exe
irun4.exe
i11r54n4.exe
Name Troj/Banker-EK
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Steals information
Aliases
* PWS-Bancban.gen.b
Prevalence (1-5) 2
Description
Troj/Banker-EK is an information stealing Trojan.
Advanced
Troj/Banker-EK is an information stealing Trojan. The Trojan monitors
the user's internet activity and records login details for the website
www2.bancobrasil.com.br.
The login information is then emailed to an email address in Brazil.
Name OF97/Toraja-I
Type
* Virus
Aliases
* O97M.Toraja.Gen
* X97M/Toraja
* O97M_TORAJA.I
Prevalence (1-5) 2
Description
OF97/Toraja-I is a macro virus for the Microsoft Office 97 platform.
It will create an infected document in the following location to ensure
it is run when Excel starts.
C:\Program Files\Microsoft Office\Office\Xlstart\start25.xls
Name W32/Rbot-NG
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Reduces system security
* Installs itself in the Registry
Aliases
* Win32.Rbot.gen
* W32/Sdbot.worm.gen.i
* WORM_RBOT.RW
Prevalence (1-5) 2
Description
W32/Rbot-NG is a worm which attempts to spread to remote network shares.
It also contains backdoor Trojan functionality, allowing unauthorised
remote access to the infected computer via IRC channels while running in
the background as a service process.
Advanced
W32/Rbot-NG is a worm which attempts to spread to remote network shares.
It also contains backdoor Trojan functionality, allowing unauthorised
remote access to the infected computer via IRC channels while running in
the background as a service process.
W32/Rbot-NG spreads to network shares with weak passwords as a result of
the backdoor Trojan element receiving the appropriate commands from a
remote user.
W32/Rbot-NG copies itself to the Windows System32 folder as NETSIS.EXE
and creates entries in the registry at the following locations to run
itself on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Networks Controler = Netsis.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Networks Controler = Netsis.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Networks Controler = Netsis.exe
Name W32/Forbot-BR
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Deletes files off the computer
* Steals information
* Reduces system security
Prevalence (1-5) 2
Description
W32/Forbot-BR is a network worm and IRC backdoor Trojan for the Windows
platform.
Advanced
W32/Forbot-BR is a network worm and IRC backdoor Trojan for the Windows
platform.
When first run, W32/Forbot-BR copies itself to the Windows system folder
with the filename windows.exe
In order to run on system start, the worm creates the following registry
entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
NDIS Adapter = windows.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\
NDIS Adapter = windows.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
NDIS Adapter = windows.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
NDIS Adapter = windows.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\
NDIS Adapter = windows.exe
The backdoor component connects to an IRC channel and awaits commands
from a remote user. The Trojan can then be instructed to:
take part in DDoS attacks
steal product registration information
scan other machines for vulnerabilities
harvest information from files on the hard disk
act as a server (FTP, HTTP, SOCKS4)
Name W32/Forbot-BQ
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Deletes files off the computer
* Steals information
* Downloads code from the internet
* Reduces system security
Aliases
* Backdoor.Win32.Wootbot.gen
Prevalence (1-5) 2
Description
W32/Forbot-BQ is a network worm with backdoor Trojan functionality.
The worm runs continuously in the background providing backdoor access
to the infected computer.
W32/Forbot-BQ spreads through network shares and by exploiting the LSASS
(MS04-011) software vulnerability. The worm may also spread through
backdoors left open by other malware.
Advanced
W32/Forbot-BQ is a network worm with backdoor Trojan functionality.
W32/Forbot-BQ spreads through network shares and by exploiting the LSASS
(MS04-011) software vulnerability. The worm may also spread through
backdoors left open by other malware.
When first run, W32/Forbot-BQ copies itself to the Windows System folder
as WIN32USB.EXE. In order to run automatically each time Windows is
started, W32/Forbot-BQ sets the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
USB Device = win32usb.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\
USB Device = win32usb.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
USB Device = win32usb.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
USB Device = win32usb.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\
USB Device = win32usb.exe
W32/Forbot-BQ creates a service named "blargh" with
the display name of "USB Device".
The worm runs continuously in the background providing backdoor access
to the infected computer through IRC channels.
The backdoor component of W32/Forbot-BQ can be used to:
start an FTP and HTTP server.
delete network shares.
start a SOCKS4, SOCKS5, HTTP, TCP and GRE proxy.
list and stop existing processes and services.
upload, download, run and delete files.
modify the registry.
add and delete services.
steal the product keys of popular games and applications.
scan other computers for open ports and attempt to exploit them.
take part in distributed denial of service (DDOS) attacks.
flush the DNS cache.
logoff, reboot and shut down the computer.
W32/Forbot-BQ may delete the ADMIN$, IPC$, C$ and D$ network shares.
W32/Forbot-BQ is capable of stealing product keys from the following
games and applications:
Unreal Tournament 2003
Unreal Tournament 2004
The Gladiators
Soldier of Fortune II - Double Helix
Soldiers Of Anarchy
Shogun: Total War: Warlord Edition
Rainbow Six III RavenShield
Neverwinter Nights
Need For Speed Hot Pursuit 2
Need For Speed: Underground
NHL 2002
NHL 2003
Nascar Racing 2002
Nascar Racing 2003
Medal of Honor: Allied Assault
Medal of Honor: Allied Assault: Breakthrough
Medal of Honor: Allied Assault: Spearhead
James Bond 007: Nightfire
Industry Giant 2
IGI 2: Covert Strike
Hidden & Dangerous 2
Half-Life
Gunman Chronicles
Global Operations
Freedom Force
FIFA 2002
FIFA 2003
Counter-Strike
Command and Conquer: Tiberian Sun
Command and Conquer: Red Alert 2
Command and Conquer: Generals (Zero Hour)
Command and Conquer: Generals
Black and White
Battlefield 1942
Battlefield 1942 (Road To Rome)
Battlefield 1942 (Secret Weapons of WWII)
Battlefield Vietnam
Yahoo Pager
AOL Instant Messenger
Call of Duty
Microsoft Messenger Service
Microsoft Windows Product ID
W32/Forbot-BQ may alter the following registry entry in order to
enable/disable DCOM:
HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM
W32/Forbot-BQ will attempt to disable other malware, such as members of
the W32/Bagle family.
Name W32/Spybot-DF
Type
* Worm
How it spreads
* Network shares
* Chat programs
* Peer-to-peer
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Steals information
* Reduces system security
* Records keystrokes
* Installs itself in the Registry
Aliases
* Worm.P2P.SpyBot.gen
* W32/Spybot.worm.gen.a
Prevalence (1-5) 2
Description
W32/Spybot-DF is an IRC backdoor worm.
W32/Spybot-DF connects to a remote IRC server and runs in the background
as a service process, listening for backdoor commands from a remote
user. The worm may spread to network shares with weak passwords or by
DCC. The worm may also spread through peer-to-peer networks, copying
itself to the folder <system>\kazaabackupfiles as DOWNLOAD_ME.EXE.
While the worm is active it attempts to terminate various monitoring
programs.
The worm may also log keystrokes, saving them to a local file or sending
them directly to a remote user over IRC.
Sophos anti-virus products since version 3.84 have been capable of
detecting this worm as Troj/Spybot-Fam without requiring an update.
Advanced
W32/Spybot-DF is an IRC backdoor worm.
W32/Spybot-DF connects to a remote IRC server and runs in the background
as a service process, listening for backdoor commands from a remote
user. The worm may spread to network shares with weak passwords or by
DCC. The worm may also spread through peer-to-peer networks, copying
itself to the folder <system>\kazaabackupfiles as DOWNLOAD_ME.EXE and
setting the following registry entry to point to this location:
HKCU\Software\Kazaa\LocalContent\
Dir0
In order to be run automatically on system startup, the worm copies
itself to the system folder as WINDOWSUPDATER.EXE and registry entries
at the following locations to point to this file:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\
While the worm is active it attempts to terminate various monitoring
programs.
The worm may also log keystrokes, saving them to a local file or sending
them directly to a remote user over IRC.
Name W32/Forbot-BP
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Forbot-BP is a network worm which attempts to spread via network
shares. The worm contains backdoor Trojan functions that allows
unauthorised remote access to the infected computer via IRC channels
while running in the background.
Advanced
W32/Forbot-BP is a network worm which attempts to spread via network
shares. The worm contains backdoor Trojan functions that allows
unauthorised remote access to the infected computer via IRC channels
while running in the background.
When run W32/Forbot-BP moves itself to the Windows System folder as
crsrs.exe and creates the following registry entries so as to run itself
either on user logon or computer restart:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Auto updat = crsrs.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
Auto updat = crsrs.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Auto updat = crsrs.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Auto updat = crsrs.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
Auto updat = crsrs.exe
Once installed, W32/Forbot-BP will attempt to perform the following
actions when instructed to do so by a remote attacker:
- setup a SOCKS4 proxy
- setup a HTTP proxy
- delete network shares
- partake in denial of service (DDOS) attacks
- port scan IP addresses
- download and run files from the Internet
- steal CD keys
The worm will also create the following registry entries:-
HKLM\SYSTEM\CurrentControlSet\Services\crcss.exe\
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CRCSS.EXE\
W32/Forbot-BP also creates its own service named "crcss.exe", with the
display name "Auto updat".
W32/Forbot-BP can spread to unpatched machines affected by the LSASS
vulnerability (MS04-011).
Name W32/Rbot-ND
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Reduces system security
* Records keystrokes
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Win32.Rbot.gen
* W32/Spybot.worm.gen.e
* WORM_SDBOT.WK
Prevalence (1-5) 2
Description
W32/Rbot-ND is a worm and backdoor for the Windows platform.
The worm spread to shares and Microsoft SQL servers protected by weak
passwords and to computers with unpatched operating system
vulnerabilities or backdoors opened by other worms and Trojans.
The backdoor component connects to a predefined IRC server and waits for
commands from a remote attacker.
The vulnerabitilies exploited by W32/Rbot-ND are addressed by Microsoft
security bulletins MS04-012 and MS03-007.
Advanced
W32/Rbot-ND is a worm and backdoor for the Windows platform.
The worm spread to shares and Microsoft SQL servers protected by weak
passwords and to computers with unpatched operating system
vulnerabilities or backdoors opened by other worms and Trojans.
The backdoor component connects to a predefined IRC server and waits for
commands from a remote attacker.
W32/Rbot-ND copies itself to the Windows system folder as webm.exe and
adds the following registry entries to ensure that the copy is run each
time Windows is started:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Update = "webm.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Update = "webm.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft Update = "webm.exe"
The backdoor component allows an attacker to control the infected
computer and offers functions such as:
Keystroke logging
Distributed denial of service attacks
Packet sniffing
Remote login
Video capture
File transfer
Proxy server
The vulnerabitilies exploited by W32/Rbot-ND are addressed by Microsoft
security bulletins MS04-012 and MS03-007.
Name W32/Forbot-BN
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Deletes files off the computer
* Steals information
* Downloads code from the internet
* Reduces system security
Prevalence (1-5) 2
Description
W32/Forbot-BN is a network worm with backdoor Trojan functionality.
The worm runs continuously in the background providing backdoor access
to the infected computer.
W32/Forbot-BN spreads through network shares and by exploiting the LSASS
(MS04-011) software vulnerability. The Trojan may also spread through
backdoors left open by other malware.
Advanced
W32/Forbot-BN is a network worm with backdoor Trojan functionality.
W32/Forbot-BN spreads through network shares and by exploiting the LSASS
(MS04-011) software vulnerability. The Trojan may also spread through
backdoors left open by other malware.
When first run, W32/Forbot-BN copies itself to the Windows System folder
as RUNDLL.EXE. In order to run automatically each time Windows is
started, W32/Forbot-BN sets the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Win32 USB Driver = rundll.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Win32 USB Driver = rundll.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Win32 USB Driver = rundll.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Win32 USB Driver = rundll.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Win32 USB Driver = rundll.exe
W32/Forbot-BN creates a service named "EatShit" with the display name
"Win32 USB Driver".
The worm runs continuously in the background providing backdoor access
to the infected computer through IRC channels.
The backdoor component of W32/Forbot-BN can be used to:
start an FTP and HTTP server.
delete network shares.
start a SOCKS4, SOCKS5, HTTP, TCP and GRE proxy.
list and stop existing processes and services.
upload, download, run and delete files.
modify the registry.
add and delete services.
steal the product keys of popular games and applications.
scan other computers for open ports and attempt to exploit them.
take part in distributed denial of service (DDOS) attacks.
flush the DNS cache.
logoff, reboot and shut down the computer.
W32/Forbot-BN may delete the ADMIN$, IPC$, C$ and D$ network shares.
W32/Forbot-BN is capable of stealing product keys from the following
games and applications:
AOL Instant Messenger
Yahoo Pager
Microsoft Messenger Service
Microsoft Windows Product ID
Counter-Strike
The Gladiators
Gunman Chronicles
Half-Life
Industry Giant 2
Unreal Tournament 2003
Unreal Tournament 2004
IGI 2: Covert Strike
Freedom Force
Battlefield 1942
Battlefield 1942 (Road To Rome)
Battlefield 1942 (Secret Weapons of WWII)
Battlefield Vietnam
Black and White
Command and Conquer: Tiberian Sun
Command and Conquer: Red Alert 2
Command and Conquer: Generals (Zero Hour)
Command and Conquer: Generals
James Bond 007: Nightfire
Global Operations
Medal of Honor: Allied Assault
Medal of Honor: Allied Assault: Breakthrough
Medal of Honor: Allied Assault: Spearhead
Need For Speed Hot Pursuit 2
Need For Speed: Underground
Shogun: Total War: Warlord Edition
FIFA 2002
FIFA 2003
NHL 2002
NHL 2003
Nascar Racing 2002
Nascar Racing 2003
Rainbow Six III RavenShield
Hidden & Dangerous 2
Soldiers Of Anarchy
Soldier of Fortune II - Double Helix
Call of Duty
Neverwinter Nights
W32/Forbot-BN may alter the following registry entry in order to
enable/disable DCOM:
HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM
W32/Forbot-BN will attempt to disable other malware, such as members of
the W32/Bagle family.
Name W32/Forbot-AR
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Reduces system security
* Installs itself in the Registry
Aliases
* Backdoor.Win32.Wootbot.gen
* W32/Gaobot.worm.gen.q
* WORM_WOOTBOT.K
Prevalence (1-5) 2
Description
W32/Forbot-AR is a worm which attempts to spread to remote network
shares.
W32/Forbot-AR also contains backdoor Trojan functionality, allowing
unauthorised remote access to the infected computer via IRC channels
while running in the background as a service process.
Advanced
W32/Forbot-AR is a worm which attempts to spread to remote network
shares.
W32/Forbot-AR also contains backdoor Trojan functionality, allowing
unauthorised remote access to the infected computer via IRC channels
while running in the background as a service process.
W32/Forbot-AR copies itself to the Windows system folder as
securitychk.exe and creates entries in the registry at the following
locations to run itself on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Secure Messenger.NET Service
securitychk.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\Win32 USB2 Driver
Microsoft Secure Messenger.NET Service
securitychk.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32 USB2
Driver Microsoft Secure Messenger.NET Service
securitychk.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Win32 USB2 Driver
Microsoft Secure Messenger.NET Service
securitychk.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\Win32 USB2 Driver
Microsoft Secure Messenger.NET Service
securitychk.exe
W32/Forbot-AR also creates its own service named
"Microsoft Secure Messenger.NET Service".
Name W32/Rbot-NA
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Reduces system security
* Records keystrokes
* Installs itself in the Registry
Aliases
* Backdoor.Win32.Rbot.gen
Prevalence (1-5) 2
Description
W32/Rbot-NA is a network worm which contains IRC backdoor Trojan
functionality, allowing unauthorised remote access to the infected
computer.
Advanced
W32/Rbot-NA is a worm which attempts to spread to remote network shares.
It also contains backdoor Trojan functionality, allowing unauthorised
remote access to the infected computer via IRC channels while running in
the background as a service process.
W32/Rbot-NA spreads to network shares with weak passwords and via
network security exploits as a result of the backdoor Trojan element
receiving the appropriate command from a remote user.
W32/Rbot-NA copies itself to the Windows system folder as TASKMSG.EXE
and creates entries at the following locations in the registry with the
value candynet so as to run itself on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
W32/Rbot-NA also sets the following registry entry with the same value
to point to itself:
HKCU\Software\Microsoft\OLE
W32/Rbot-NA may attempt to sets the following registry entries:
HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM = "N"
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous = "1"
W32/Rbot-NA may attempt to delete network shares on the host computer.
W32/Rbot-NA may attempt to log keystrokes to the file KEY.TXT in the
Windows system folder.
Name W32/Sluter-E
Type
* Worm
How it spreads
* Network shares
* Chat programs
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Steals information
* Reduces system security
* Records keystrokes
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Sluter-E is an IRC backdoor Trojan and network worm for the Windows
platform. The worm spreads through network shares and by scanning
network machines for known vulnerabilities.
Advanced
W32/Sluter-E is an IRC backdoor Trojan and network worm for the Windows
platform. The worm spreads through network shares and by scanning
network machines for known vulnerabilities.
When first run, the worm copies itself to the Windows system folder with
the filename winsci32.exe. In order to run on system start, W32/Sluter-E
creates the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Winsci Loaded = %System%\winsci32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Winsci Loaded = %System%\winsci32.exe
The worm registers itself as a system service with the service name
"Winsci32" and the imagepath set to the path of winsci32.exe
W32/Sluter-E connects to an IRC channel where it awaits commands from a
remote user. The backdoor component can be instructed to perform any of
the following functions:
SOCKS4 proxy server
FTP server
send email
keylogger
take part in DDoS attacks (SYN, ICMP, Ping)
steal product registration keys
insert and send insulting text into open IM windows (AIM, Yahoo, MSN
Messenger)
gather system information (filesystem, hardware, running processes)
open and close CDROM trays
download/upload files
execute arbitrary commands
W32/Sluter-E queries the following registry entries for product keys
belonging to certain game software:
HKLM\Software\Westwood\Tiberian Sun
HKLM\Software\Westwood\Red Alert 2
HKLM\Software\IGI 2 Retail\CDKey
HKLM\Software\Electronic Arts\EA GAMES\Generals\ergc
HKLM\Software\Electronic Arts\EA Sports\FIFA 2003\ergc
HKLM\Software\Electronic Arts\EA GAMES\Need For Speed Hot Pursuit
HKCU\Software\Eugen Systems\The Gladiators
HKLM\Software\Activision\Soldier of Fortune II - Double Helix
HKLM\Software\BioWare\NWN\Neverwinter
HKLM\Software\Red Storm Entertainment\RAVENSHIELD
HKLM\Software\Electronic Arts\EA GAMES\Battlefield 1942 The Road to Rome
HKLM\Software\Electronic Arts\EA GAMES\Battlefield 1942
HKLM\Software\IGI 2 Retail
HKCU\Software\Valve\CounterStrike\Settings
HKLM\Software\Unreal Technology\Installed Apps\UT2003
HKCU\Software\Valve\Half-Life\Settings
Name W32/Wort-B
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Exploit.Win32.RPCLsa.10
* Exploit-MS04-011.gen
Prevalence (1-5) 2
Description
W32/Wort-B is a network worm that attempts to spread to remote computers
by exploiting the LSASS vulnerability.
W32/Wort-B may may also attempt to download and execute files to the
remote computer from internet sites as SETTER.EXE or SETTROW.EXE. At the
time of writing the file downloaded as SETTER.EXE is detected as
Troj/Hostol-A and the file SETTROW.EXE is not available for download.
Advanced
W32/Wort-B is a network worm that attempts to spread to remote computers
by exploiting the LSASS vulnerability.
W32/Wort-B may may also attempt to download and execute files to the
remote computer from internet sites as SETTER.EXE or SETTROW.EXE. At the
time of writing the file downloaded as SETTER.EXE is detected as
Troj/Hostol-A and the file SETTROW.EXE is not available for download.
The Trojan creates the following registry entry to run itself on system
startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WinLsass
W32/Wort-B may also create the following registry entry to run itself on
system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\WinLsass
W32/Wort-B may also attempt to delete a registry entry entry at the
following location:
HKCU\Software\System\WinTmp
W32/Wort-B generates random IP addresses to exploit.
W32/Wort-B may send information about its status to a remote website.
--- MultiMail/Win32 v0.43
* Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)
|