Text 72, 1657 rader
Skriven 2005-11-20 01:39:00 av KURT WISMER (1:123/140)
Ärende: News, November 20, 2005
===============================
[cut-n-paste from sophos.com]
Name W32/Sober-T
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Sends itself to email addresses found on the infected computer
* Forges the sender's email address
* Uses its own emailing engine
* Installs itself in the Registry
* Leaves non-infected files on computer
Prevalence (1-5) 2
Description
W32/Sober-T is a mass-mailing worm for the Windows platform.
The email characteristics will be one of the following, depending on
the recipient address:
Subject line: I've got your email on my account
Message text:
First, my English is very bad! Sorry about this.
Ok, I've got an email in my box, but this email is not for me, because,
I'm not the recipient! The recipient are you!
This must be an email-provider error, but I don't know!
I have made a Screenshot about this mail and saved then in a zipped
jpeg file for you.
ok then,
Attachment: email_photo.zip
or
Subject line: Ich habe Ihre E-Mail erhalten
Message text:
Sie haben aber Ihre Mail wahrscheinlich falsch adressiert, naemlich
an mich. Ich kenne sie aber nicht!
Oder Ihr Provider hat die eMail falsch weiter geleitet?
Um mich zu entlasten, schicke ich Ihnen das (!.!) Foto wieder zurueck.
Attachment: Foto.zip
Advanced
W32/Sober-T is a mass-mailing worm for the Windows platform.
When first run, a message box may be displayed with the title "Windows"
and containing the text "Error in Graphic Data".
The email characteristics will be one of the following, depending on
the recipient address:
Subject line: I've got your email on my account
Message text:
First, my English is very bad! Sorry about this.
Ok, I've got an email in my box, but this email is not for me, because,
I'm not the recipient! The recipient are you!
This must be an email-provider error, but I don't know!
I have made a Screenshot about this mail and saved then in a zipped
jpeg file for you.
ok then,
bye
Attachment: email_photo.zip
or
Subject line: Ich habe Ihre E-Mail erhalten
Message text:
Danke fur Ihre Email ....
Sie haben aber Ihre Mail wahrscheinlich falsch adressiert, naemlich
an mich. Ich kenne sie aber nicht!
Oder Ihr Provider hat die eMail falsch weiter geleitet?
Um mich zu entlasten, schicke ich Ihnen das (!.!) Foto wieder zurueck.
MfG
Sender
Attachment: Foto.zip
W32/Sober-T harvests email addresses from files with the following
strings in their filenames:
pmr phtm stm slk inbox imb csv bak imh xhtml imm imh cms nws vcf ctl
dhtm cgi pp ppt msg jsp oft vbs uin ldb abc pst cfg mdw mbx mdx mda
adp nab fdb vap dsp ade sln dsw mde frm bas adr cls ini ldif log mdb
xml wsh tbb abx abd adb pl rtf mmf doc ods nch xls nsf txt wab eml
hlp mht nfo php asp shtml dbx
When W32/Sober-T is installed, the following files are created:
<Windows>\vvvfdsqq.exe
<Windows>\ConnectionStatus\services.exe
The following registry entries are created to run services.exe on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
WinCheck
<Windows>\ConnectionStatus\services.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
_WinCheck
<Windows>\ConnectionStatus\services.exe
W32/Sober-T creates the following files in the windows system folder.
bbvmwxxf.hml
gdfjgthv.cvq
langeinf.lin
nonrunso.ber
rubezahl.rub
runstop.rst
These files are harmless and may be deleted safely.
Name Troj/GrayBrd-EH
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
* Dropped by malware
Prevalence (1-5) 2
Description
Troj/GrayBrd-EH is a backdoor Trojan for the Windows platform.
Troj/GrayBrd-EH includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
Troj/GrayBrd-EH is a backdoor Trojan for the Windows platform.
Troj/GrayBrd-EH includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run Troj/GrayBrd-EH copies itself to <Program Files>\.exe
and creates the following files:
<Windows folder>\Temp\8e4ds4.dll
8e4ds4.dll is detected as Troj/Vanti-G
The file ".exe" is registered as a new system driver service named
"GrayPigeon", with a display name of "Gray_Pigeon" and a startup type
of automatic, so that it is started automatically during system
startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\GrayPigeon\
Name W32/Codbot-L
Type
* Spyware Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Win32.Codbot.ae
Prevalence (1-5) 2
Description
W32/Codbot-L is a worm with backdoor functionality for the Windows
platform.
W32/Codbot-L can spread to weakly protected network shares, weakly
protected Micrsoft SQL servers, and to computers vulnerable to the
RPC-DCOM exploit.
The following patches for the operating system vulnerabilities
exploited by W32/Codbot-L can be obtained from the Microsoft website:
http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx
W32/Codbot-L runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels. The intruder can issue
commands to download and run further malicious code, steal passwords
and system information and sniff packets from the local network.
Advanced
W32/Codbot-L is a worm with backdoor functionality for the Windows
platform.
W32/Codbot-L can spread to weakly protected network shares, weakly
protected Micrsoft SQL servers, and to computers vulnerable to the
RPC-DCOM exploit.
The following patches for the operating system vulnerabilities
exploited by W32/Codbot-L can be obtained from the Microsoft website:
http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx
W32/Codbot-L runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels. The intruder can issue
commands to download and run further malicious code, steal passwords
and system information and sniff packets from the local network.
When first run W32/Codbot-L copies itself to
<Windows system folder>\rpcclient.exe.
W32/Codbot-L is registered as a new system driver service named
"RpcClient", with a display name of "Remote Procedure Call (RPC)
Client" and a startup type of automatic, so that it is started
automatically during system startup. Registry entries are created
under:
HKLM\SYSTEM\CurrentControlSet\Services\RpcClient\
Registry entries are set as follows:
HKLM\SYSTEM\CurrentControlSet\Hardware
Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings
ProxyEnable
1
HKLM\SYSTEM\CurrentControlSet\Hardware
Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings
ProxyEnable
1
Name W32/Rbot-AXG
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Used in DOS attacks
Prevalence (1-5) 2
Description
W32/Rbot-AXG is a network worm with backdoor functionality for the
Windows platform.
Advanced
W32/Rbot-AXG is a network worm with backdoor functionality for the
Windows platform.
W32/Rbot-AXG spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including: RPC-DCOM (MS04-012), PNP
(MS05-039), IMAIL Server and ASN.1 (MS04-007).
W32/Rbot-AXG runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Rbot-AXG can be controlled by a remote attacker over IRC channels.
The backdoor component of W32/Rbot-AXG can be instructed by a remote
user to perform the following functions:
start an FTP server
take part in distributed denial of service (DDoS) attacks
packet sniffing
port scanning
download/execute arbitrary files
start a remote shell (RLOGIN)
When first run W32/Rbot-AXG copies itself to
<Windows folder>\shost.exe.
The file shost.exe is registered as a new system driver service named
"ServiceHost", with a display name of "Service Hosts" and a startup
type of automatic, so that it is started automatically during system
startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\ServiceHost\
W32/Rbot-AXG sets the following registry entries, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4
Registry entries are set as follows:
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
Registry entries are created under:
HKLM\SOFTWARE\Microsoft\Security Center\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\
Name W32/Sober-R
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Sends itself to email addresses found on the infected computer
* Forges the sender's email address
* Uses its own emailing engine
* Installs itself in the Registry
Aliases
* W32/Sober.u.dr
Prevalence (1-5) 2
Description
W32/Sober-R is a mass-mailing worm.
When first run, a message box may be displayed with title 'Windows'
and containing the text 'Error: Text-File not complete'.
The email sent by W32/Sober-R depends on the recipient address.
The email characteristics will be one of the following:
Subject line: Thanks for your registration
Message text:
Thanks for your registration!
We have received your payment.
For more detailed information, read the attached text.
Attached file: reg_text.zip
OR
Subject line: Hi, Ich bin's
Message text:
Hier ist die Liste die du haben wolltest.
Du solltest dich aber auch eintragen!
OK, bis dann
Attached file: Liste.zip
Advanced
W32/Sober-R is a mass-mailing worm.
When first run, a message box may be displayed with title 'Windows'
and containing the text 'Error: Text-File not complete'.
The email sent by W32/Sober-R depends on the recipient address.
The email characteristics will be one of the following:
Subject line: Thanks for your registration
Message text:
Thanks for your registration!
We have received your payment.
For more detailed information, read the attached text.
Attached file: reg_text.zip
OR
Subject line: Hi, Ich bin's
Message text:
Hier ist die Liste die du haben wolltest.
Du solltest dich aber auch eintragen!
OK, bis dann
Attached file: Liste.zip
W32/Sober-R harvests email addresses from files with the following
strings in their filenames:
pmr phtm stm slk inbox imb csv bak imh xhtml imm imh cms nws vcf ctl
dhtm cgi pp ppt msg jsp oft vbs uin ldb abc pst cfg mdw mbx mdx mda
adp nab fdb vap dsp ade sln dsw mde frm bas adr cls ini ldif log mdb
xml wsh tbb abx abd adb pl rtf mmf doc ods nch xls nsf txt wab eml
hlp mht nfo php asp shtml dbx
When W32/Sober-R is installed the following files are created:
<Windows>\hjgerhds.exe
<Windows>\ConnectionStatus\services.exe
These files are detected as W32/Sober-R.
The following registry entry is created to run services.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
_WinCheck
<Windows>\ConnectionStatus\services.exe
W32/Sober-R creates the following files in the windows system folder.
bbvmwxxf.hml
gdfjgthv.cvq
langeinf.lin
nonrunso.ber
rubezahl.rub
runstop.rst
These files may be deleted.
Name W32/Sober-S
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Sends itself to email addresses found on the infected computer
* Forges the sender's email address
* Uses its own emailing engine
* Installs itself in the Registry
Aliases
* W32/Sober.v.dr
Prevalence (1-5) 2
Description
W32/Sober-S is a mass-mailing worm.
The email sent by W32/Sober-S depends on the recipient address.
The email characteristics will be one of the following:
Subject line: Ihre eMail!
Message text:
Guten Tag,
Ok, hier haben Sie sie wieder zurueck!
Tabelle jemand schickte mir eine Mail mit einer Excel oder Access
Tabelle (kenne mich da nicht so aus!).
Jedenfalls ist diese Mail aber an ihre Mail Adresse adressiert, aber
zu meiner gekommen??? Ist wohl irgendein Fehler.
Attached file: Tabelle.zip
OR
Subject line: Your email
Message text:
Hello,
Sorry, sorry sorry, because,, my English is not the best!
ok, I've got an email with an Excel-Table. But I am not the recipient,
the recipient are you!
I think, it's an mail error!
OK, here is your table back!
cya....
Attached file: excel_table.zip
Advanced
W32/Sober-S is a mass-mailing worm.
The email sent by W32/Sober-S depends on the recipient address.
The email characteristics will be one of the following:
Subject line: Ihre eMail!
Message text:
Guten Tag,
Ok, hier haben Sie sie wieder zurueck!
Tabelle jemand schickte mir eine Mail mit einer Excel oder Access
Tabelle (kenne mich da nicht so aus!).
Jedenfalls ist diese Mail aber an ihre Mail Adresse adressiert, aber
zu meiner gekommen??? Ist wohl irgendein Fehler.
Attached file: Tabelle.zip
OR
Subject line: Your email
Message text:
Hello,
Sorry, sorry sorry, because,, my English is not the best!
ok, I've got an email with an Excel-Table. But I am not the recipient,
the recipient are you!
I think, it's an mail error!
OK, here is your table back!
cya....
Attached file: excel_table.zip
W32/Sober-S harvests email addresses from files with the following
strings in their filenames:
pmr phtm stm slk inbox imb csv bak imh xhtml imm imh cms nws vcf ctl
dhtm cgi pp ppt msg jsp oft vbs uin ldb abc pst cfg mdw mbx mdx mda
adp nab fdb vap dsp ade sln dsw mde frm bas adr cls ini ldif log mdb
xml wsh tbb abx abd adb pl rtf mmf doc ods nch xls nsf txt wab eml
hlp mht nfo php asp shtml dbx
When W32/Sober-S is installed the following files are created:
<Windows>\hjgerhds.exe
<Windows>\ConnectionStatus\Microsoft\services.exe
These files are detected as W32/Sober-S.
The following registry entry is created to run services.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WinCheck
<Windows>\ConnectionStatus\Microsoft\services.exe
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
_WinCheck
<Windows>\ConnectionStatus\Microsoft\services.exe
W32/Sober-S creates the following files in the windows system folder.
bbvmwxxf.hml
gdfjgthv.cvq
langeinf.lin
nonrunso.ber
rubezahl.rub
runstop.rst
These files may be deleted.
Name W32/Spybot-EF
Type
* Spyware Worm
How it spreads
* Peer-to-peer
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Records keystrokes
* Installs itself in the Registry
Aliases
* P2P-Worm.Win32.SpyBot.gen
* W32/Spybot.worm.gen.bx
Prevalence (1-5) 2
Description
W32/Spybot-EF is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Spybot-EF spreads via file sharing on P2P networks.
W32/Spybot-EF runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
Advanced
W32/Spybot-EF is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Spybot-EF spreads via file sharing on P2P networks.
W32/Spybot-EF runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
When first run W32/Spybot-EF copies itself to:
<System>\kazaabackupfiles\crack.exe
<System>\tsasi.exe
The folder <System>\kazaabackupfiles is added as a shared folder for
Kazaa.
The following registry entries are created to run tsasi.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
Video Card Driver (do not remove)
TSASI.EXE
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Video Card Driver (do not remove)
TSASI.EXE
Registry entries are created under:
HKCU\Software\Kazaa\LocalContent\
Name W32/Sober-V
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Sends itself to email addresses found on the infected computer
* Forges the sender's email address
* Uses its own emailing engine
* Installs itself in the Registry
Aliases
* Email-Worm.Win32.Sober.x
Prevalence (1-5) 2
Description
W32/Sober-V is a mass-mailing worm for the Windows platform.
When first run, a message box may be displayed with the title "MS
Outlook" and containing the text "Error in Outlook-Key".
The email characteristics will be one of the following, depending on
the recipient's address:
Subject line:
Your eMail Password
Message text:
Thanks for your registration! Your registration will not be complete
until you re-confirm it. Please read the following agreement. If you
accept it, click the "accept" to complete your registration!
Attached file:
Accept_e-Text.zip
Subject line:
Wichtig: Meine neue Mail Adresse!
Message text:
hi du,,, ike bin et
Musste mir leider ne neue Mail-Addy machen. Meine alte wird nur noch
zu gemuellt mit Spam.
Habe dir auch gleich die Datei mitgeliefert die du immer haben
wolltest. Ist aber ziemlich per....
Ok, man sieht sich
Attached file:
Mail-Datei.zip
W32/Sober-V harvests email addresses from files with the following
strings in their filenames:
abc abd abx adb ade adp adr asp bak bas cfg cgi cls cms csv ctl dbx
dhtm doc dsp dsw eml fdb frm hlp imb imh imh imm inbox ini jsp ldb
ldif log mbx mda mdb mde mdw mdx mht mmf msg nab nch nfo nsf nws ods
oft php phtm pl pmr pp ppt pst rtf shtml slk sln stm tbb txt uin vap
vbs vcf wab wsh xhtml xls xml
Advanced
W32/Sober-V is a mass-mailing worm for the Windows platform.
When first run, a message box may be displayed with the title "MS
Outlook" and containing the text "Error in Outlook-Key".
The email characteristics will be one of the following, depending on
the recipient's address:
Subject line:
Your eMail Password
Message text:
Thanks for your registration! Your registration will not be complete
until you re-confirm it. Please read the following agreement. If you
accept it, click the "accept" to complete your registration!
Attached file:
Accept_e-Text.zip
Subject line:
Wichtig: Meine neue Mail Adresse!
Message text:
hi du,,, ike bin et
Musste mir leider ne neue Mail-Addy machen. Meine alte wird nur noch
zu gemuellt mit Spam.
Habe dir auch gleich die Datei mitgeliefert die du immer haben
wolltest. Ist aber ziemlich per....
Ok, man sieht sich
Attached file:
Mail-Datei.zip
W32/Sober-V harvests email addresses from files with the following
strings in their filenames:
abc abd abx adb ade adp adr asp bak bas cfg cgi cls cms csv ctl dbx
dhtm doc dsp dsw eml fdb frm hlp imb imh imh imm inbox ini jsp ldb
ldif log mbx mda mdb mde mdw mdx mht mmf msg nab nch nfo nsf nws ods
oft php phtm pl pmr pp ppt pst rtf shtml slk sln stm tbb txt uin vap
vbs vcf wab wsh xhtml xls xml
When W32/Sober-V is installed, the following files are created:
<Windows folder>\vdfgvxvy.exe
<Windows folder>\ConnectionStatus\Microsoft\services.exe
The following registry entries are created to run services.exe on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WinCheck
<Windows folder>\ConnectionStatus\Microsoft\services.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
_WinCheck
<Windows folder>\ConnectionStatus\Microsoft\services.exe
W32/Sober-V creates the following files in the Windows system folder:
bbvmwxxf.hml
gdfjgthv.cvq
langeinf.lin
nonrunso.ber
rubezahl.rub
runstop.rst
These files are harmless and may be deleted safely.
Name W32/Brontok-G
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Uses its own emailing engine
* Installs itself in the Registry
Aliases
* Email-Worm.Win32.Brontok.c
* W32.Rontokbro@mm
Prevalence (1-5) 2
Description
W32/Brontok-G is an email worm for the Windows platform.
Advanced
W32/Brontok-G is an email worm for the Windows platform.
When first run W32/Brontok-G copies itself to:
<User>\Local Settings\Application Data\csrss.exe
<User>\Local Settings\Application Data\inetinfo.exe
<User>\Local Settings\Application Data\lsass.exe
<User>\Local Settings\Application Data\services.exe
<User>\Local Settings\Application Data\smss.exe
<Windows>\ShellNew\sempalong.exe
<Windows>\eksplorasi.exe
The following registry entries are created to run W32/Brontok-G on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Tok-Cirrhatus
<User>\Local Settings\Application Data\smss.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Bron-Spizaetus
<Windows>\ShellNew\sempalong.exe
The following registry entry is changed to run eksplorasi.exe on
startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe "<Windows>\eksplorasi.exe"
Registry entries are set as follows:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableCMD
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0
Name W32/Rbot-AAC
Type
* Spyware Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Modifies data on the computer
* Steals information
* Drops more malware
Prevalence (1-5) 2
Description
W32/Rbot-AAC is a network worm which attempts to spread via network
shares. The worm contains backdoor functions that allows unauthorised
remote access to the infected computer via IRC channels while running
in the background.
The worm spreads to network shares with weak passwords and also by
using the RPC-DCOM security exploit (MS03-039).
W32/Rbot-AAC drops the file C:\hellmsn.exe and runs it. This file is
currently being detected by Sophos as W32/Mytob-H.
Advanced
W32/Rbot-AAC is a network worm which attempts to spread via network
shares. The worm contains backdoor functions that allows unauthorised
remote access to the infected computer via IRC channels while running
in the background.
The worm spreads to network shares with weak passwords and also by
using the RPC-DCOM security exploit (MS03-039).
When run W32/Rbot-AAC moves itself to the Windows System folder as a
hidden, read-only, system file named msnmsgs.exe. The worm then
copies itself to the following filenames:
C:\eminem vs 2pac.scr
C:\funny pic.scr
C:\photo album.scr
The above 3 files have their read-only, hidden, system and archive
file attributes set.
W32/Rbot-AAC then creates the following registry entries so as to run
itself on computer logon:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
MSN MESSENGER
msnmsgs.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MSN MESSENGER
msnmsgs.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
MSN MESSENGER
msnmsgs.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MSN MESSENGER
msnmsgs.exe
The worm also creates the following registry entries:
HKCU\SYSTEM\CurrentControlSet\Control\Lsa
MSN MESSENGER
msnmsgs.exe
HKCU\Software\Microsoft\Ole
MSN MESSENGER
msnmsgs.exe
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
MSN MESSENGER
msnmsgs.exe
HKLM\SOFTWARE\Microsoft\Ole
MSN MESSENGER
msnmsgs.exe
The worm changes the following registry entry as follows:
from:
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
Y
to:
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
from:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
dword:00000000
to:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
dword:00000001
Once installed, W32/Rbot-AAC will attempt to perform the following
actions when instructed to do so by a remote attacker:
scan ports
create an HTTPD server
create a SOCKS4 server
participate in distributed denial of service (DDoS) attacks
download and run files from the Internet
log keystrokes to the file %SYSTEM%\keys.txt
capture clipboard information
terminates anti-virus, security and Windows applications and processes
The worm also prevents accesses to anti-virus and security related
websites by appending the HOSTS file in the %SYSTEM%\drivers\etc
folder with the following mappings:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.trendmicro.com
W32/Rbot-AAC drops the file C:\hellmsn.exe and runs it. This file is
currently being detected by Sophos as W32/Mytob-H.
Name W32/Mario-C
Type
* Worm
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
Aliases
* Virus.Win32.VB.m
* W32/Generic.e
* W32.SillyFDC
Prevalence (1-5) 2
Description
W32/Mario-C is a worm for the Windows platform.
W32/Mario-C displays a fake error message with a title "Windows" and
a window text of "File Corrupted, Re-install".
If terminated, W32/Mario-C may display a fake error message with a
title "Unable to Terminate Process" and a window text of "This is a
critical system process. Task manager cannot end this process" and
will attempt to restart itself.
On the 12th of the month W32/Mario-C drops clean text files
containing the following:
Firihenkulhi (Soasange) Natto.
Kudakudhin falha (Soasange) Natto
Advanced
W32/Mario-C is a worm for the Windows platform.
W32/Mario-C copies the file Mario.exe, assuming this file to be a
copy of itself, to C:\windows\system32\rund11.exe and sets the
following registry entry to run this file on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Rund11
C:\windows\SYSTEM32\Rund11.EXE
W32/Mario-C periodically attempts to copy itself to A:\Mario.exe
W32/Mario-C displays a fake error message with a title "Windows" and
a window text of "File Corrupted, Re-install".
If terminated, W32/Mario-C may display a fake error message with a
title "Unable to Terminate Process" and a window text of "This is a
critical system process. Task manager cannot end this process" and
will attempt to restart itself.
On the 12th of the month W32/Mario-C writes
Firihenkulhi (Soasange) Natto.
Kudakudhin falha (Soasange) Natto
to the following files:
C:\FKnatto.txt
C:\Documents and Settings\All Users\Desktop\FKnatto.txt
Name Troj/Delf-PE
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Drops more malware
* Uses its own emailing engine
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
Aliases
* Trojan.Win32.Delf.pe
* Spy-Agent.c
Prevalence (1-5) 2
Description
Troj/Delf-PE is an information stealing Trojan for the Windows
platform.
The Trojan has the ability to communicate with a remote server.
Advanced
Troj/Delf-PE is an information stealing Trojan for the Windows
platform.
When Troj/Delf-PE is installed the following files are created:
<Windows system folder>\divxenc.exe
<Windows system folder>\msld1.dll
Both divxenc.exe and msld1.dll are also detected as Troj/Delf-PE.
The following registry entries are created to run the Trojan each
time a user logs on:
HKCU\Software\Microsoft\MediaPlayer\Preferences\msld
dll1
"<Windows system folder>\msld1.dll"
HKCU\Software\Microsoft\MediaPlayer\Preferences\msld
run
"<Windows system folder>\divxenc.exe"
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
"Explorer.exe <Windows system folder>\divxenc.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
divx
"<Windows system folder>\divxenc.exe"
Name Troj/Zlob-BC
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/Zlob-BC is a downloader Trojan.
Troj/Zlob-BC will contact predefined remote sites and download data.
The Trojan may then download further executable files and run them.
Troj/Zlob-BC displays the following fake warning message:
Your computer is infected!
Windows has detected spyware infection.
It is recommended to use special antispyware tools to prevent data
loss.
Windows will now download and install the most
up-to-date antispyware for you.
Click here to protect your computer from spyware.
Advanced
Troj/Zlob-BC is a downloader Trojan.
Troj/Zlob-BC will contact predefined remote sites and download data.
The Trojan may then download further executable files and run them.
Troj/Zlob-BC displays the following fake warning message:
Your computer is infected!
Windows has detected spyware infection.
It is recommended to use special antispyware tools to prevent data
loss.
Windows will now download and install the most
up-to-date antispyware for you.
Click here to protect your computer from spyware.
Troj/Zlob-BC installs the following files in the Windows system folder:
mscornet.exe (detected as Troj/Zlob-BC)
mssearch.exe (detected as Troj/Zlob-BC)
nvctrl.exe (detected as Troj/Zlob-BC)
ld????.tmp (detected as Troj/Zlob-BC)
ncompat.tlb (may be safely deleted)
msvol.tlb (may be safely deleted)
hp????.tmp (may be safely deleted)
where ???? are strings of randomly generated characters.
In order to run automatically each time Explorer initialises,
Troj/Zlob-BC will set the following registry entries:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
wininet.dll
mscornet.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
kernel32.dll
<System>\mssearch.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
nvctrl.exe
nvctrl.exe
In order to run automatically each time a user logs in, Troj/Zlob-BC
will add mscornet.exe to the following registry entry:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Troj/Zlob-BC will attempt to hide its activity by injecting code into
EXPLORER.EXE.
Registry entries are also be created under:
HKCR\CLSID\(E9CCF15D-4C68-4B5A-9E9A-8E12E4BD39BD)
Name Troj/Bancban-IL
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals credit card details
* Steals information
* Dropped by malware
Aliases
* Trojan-Spy.Win32.Banbra.df
Prevalence (1-5) 2
Description
Troj/Bancban-IL is a password stealing Trojan targeted at customers
of Brazilian banks.
Troj/Bancban-IL attempts to log keypresses entered into certain
websites and online banking applications. The Trojan may display fake
user interfaces in order to persuade the user to enter confidential
details. Stolen information is sent by email to a remote user.
Advanced
Troj/Bancban-IL is a password stealing Trojan targeted at customers
of Brazilian banks.
Troj/Bancban-IL attempts to log keypresses entered into certain
websites and online banking applications. The Trojan may display fake
user interfaces in order to persuade the user to enter confidential
details. Stolen information is sent by email to a remote user.
Troj/Bancban-IL is usually located as <System>\csrs.scr file.
Troj/Bancban-IL creates <System>\csrs.txt log file that is not
malicious and may be safely deleted.
Troj/Bancban-IL creates the following registry entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
dark
"<System>\csrs.scr"
Name OF97/Toraja-I
Type
* Virus
Aliases
* O97M.Toraja.Gen
* X97M/Toraja
* O97M_TORAJA.I
Prevalence (1-5) 2
Description
OF97/Toraja-I is a macro virus for the Microsoft Office 97 platform.
It will create an infected document in the following location to
ensure it is run when Excel starts.
C:\Program Files\Microsoft Office\Office\Xlstart\start25.xls
Name Troj/Cosiam-E
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Installs itself in the Registry
* Used in DOS attacks
Aliases
* Trojan-Proxy.Win32.Small.bo
Prevalence (1-5) 2
Description
Troj/Cosiam-E is a proxy Trojan with backdoor capabilities.
Troj/Cosiam-E will contact a remote location in order to report
details of the infected computer.
Troj/Cosiam-E is capable of downloading and running further
executable files.
Troj/Cosiam-E may download and execute files from a remote website.
Advanced
Troj/Cosiam-E is a proxy Trojan with backdoor capabilities.
Troj/Cosiam-E will contact a remote location in order to report
details of the infected computer, including the port that the Trojan
is listening on, the computer's IP and operating system. The Trojan
may then download configuration data.
Troj/Cosiam-E is capable of downloading and running further
executable files.
When first run, Troj/Cosiam-E will copy itself to the Windows system
folder as multiran.exe. In order to run automatically each time a
user logs in, Troj/Cosiam-E will set the following registry entries:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
multiran
<Windows system folder>\multiran.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
multiran
<Windows system folder>\multiran.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
multiran
<Windows system folder>\multiran.exe
Troj/Cosiam-E creates the following registry entry:
HKLM\SOFTWARE\Microsoft
ATI_VER
Troj/Cosiam-E may download and execute files from a remote website to
a file dxvw<4 numbers>.exe in the Windows system or Temp folder.
Troj/Cosiam-E may create an empty file bin28.log in the Windows
system folder.
The Trojan is capable of performing Denial of Service (DoS) attacks
on remote computers.
Name Troj/Banload-H
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Aliases
* Trojan-Downloader.Win32.Banload.ib
Prevalence (1-5) 2
Description
Troj/Banload-H is a Trojan for the Windows platform.
Troj/Banload-H includes functionality to access the internet and
communicate with a remote server via HTTP.
Troj/Banload-H may try to silently download and execute programs from
a predefined web-site.
At the time of writing, this file is detected as Troj/Bancb-Fam.
Name Troj/Keylog-AR
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Records keystrokes
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/Keylog-AR is a keylogging Trojan for the Windows platform.
The Trojan logs keypresses and mouse clicks to the following files:
<Windows>\_key.txt
<Windows>\_mouse.txt
Advanced
Troj/Keylog-AR is a keylogging Trojan for the Windows platform.
The Trojan logs keypresses and mouse clicks to the following files:
<Windows>\_key.txt
<Windows>\_mouse.txt
When first run Troj/Keylog-AR copies itself to <System>\IMEvtMgr.exe
and creates the following files:
<System>\khook.dll
<System>\mhook.dll
The following registry entry is created to run IMEvtMgr.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
IMEvtMgr.exe
IMEvtMgr.exe
Name Troj/Lecna-F
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Drops more malware
* Installs itself in the Registry
Aliases
* BackDoor-CSB
Prevalence (1-5) 2
Description
Troj/Lecna-F is a backdoor Trojan for the Windows platform.
Troj/Lecna-F includes functionality to access the internet and
communicate with a remote server via HTTP.
Troj/Lecna-F drops a file detected by Sophos's anti-virus products as
either Troj/RKPort-Fam or Troj/RKProc-Fam.
Advanced
Troj/Lecna-F is a backdoor Trojan for the Windows platform.
Troj/Lecna-F includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run Troj/Lecna-F copies itself to
<Windows system folder>\winword.exe and creates the file
<Windows system folder>\drivers\USBTest.sys.
The file USBTest.sys is detected by Sophos's anti-virus products as
either Troj/RKPort-Fam or Troj/RKProc-Fam.
The file USBTest.sys is registered as a new system driver service
named "USBTest", with a display name of "USBTest". Registry entries
are created under:
HKLM\SYSTEM\CurrentControlSet\Services\USBTest\
Registry entries are created under:
HKLM\SOFTWARE\Microsoft\CurrentNetInf\
Name Troj/PWSYahoo-A
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
* Records keystrokes
* Installs itself in the Registry
Aliases
* Backdoor.Win32.VB.xw
* Trojan-PSW.Win32.VB.dk
* W32/Backdoor.IZ
* BKDR_VB.XW
Prevalence (1-5) 2
Description
Troj/PWSYahoo-A is a password stealing Trojan targeting the Yahoo!
Messenging service.
Advanced
Troj/PWSYahoo-A is a password stealing Trojan targeting the Yahoo!
Messenging service.
Troj/PWSYahoo-A will send stolen information to a remote user via
email.
When first run Troj/PWSYahoo-A copies itself to <Windows>\NDDENB.exe.
The following registry entry is created to run NDDENB.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft PCHealth32
NDDENB.exe
The following registry entry is set, disabling the registry editor
(regedit):
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
disableregistrytools
1
--- MultiMail/Win32 v0.43
* Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)
|