Text 77, 926 rader
Skriven 2005-12-17 12:07:00 av KURT WISMER (1:123/140)
Ärende: News, December 17 2005
==============================
[cut-n-paste from sophos.com]
Name Troj/BagleDl-AO
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Prevalence (1-5) 3
Description
Troj/BagleDl-AO is a Trojan for the Windows platform.
When first run, Troj/BagleDl-AO opens a graphics file named
ntimage.gif with the default image viewer.
The latest Bagle Trojan horse open a graphics file when first run
The latest Bagle Trojan horse open a graphics file when first run.
Troj/BagleDl-AO attempts to download files from a number of
pre-specified URLs to a file <Windows folder\exefld\<random
number>.exe and run it.
Advanced
Troj/BagleDl-AO is a Trojan for the Windows platform.
When first run, Troj/BagleDl-AO opens a graphics file named
ntimage.gif with the default image viewer.
The latest Bagle Trojan horse open a graphics file when first run
The latest Bagle Trojan horse open a graphics file when first run.
Troj/BagleDl-AO attempts to download files from a number of
pre-specified URLs to a file <Windows folder\exefld\<random
number>.exe and run it.
When first run Troj/BagleDl-AO copies itself to <Windows system
folder>\anti_troj.exe.
The following registry entries are created to run antiav_exe.exe on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
anti_troj
<Windows system folder>\anti_troj.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
anti_troj
<Windows system folder>\anti_troj.exe
Troj/BagleDl-AO also sets the following registry entry:
HKCU\Software\FirstRRRun
FirstRRRun
Name Troj/BagleDl-AN
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Prevalence (1-5) 3
Description
Troj/BagleDl-AN is a Trojan for the Windows platform.
When first run, Troj/BagleDl-AN opens a graphics file named
ntimage.gif with the default image viewer.
The latest Bagle Trojan horse open a graphics file when first run
The latest Bagle Trojan horse open a graphics file when first run.
Troj/BagleDl-AN attempts to download files from a number of
pre-specified URLs.
Advanced
Troj/BagleDl-AN is a Trojan for the Windows platform.
When first run, Troj/BagleDl-AN opens a graphics file named
ntimage.gif with the default image viewer.
The latest Bagle Trojan horse open a graphics file when first run
The latest Bagle Trojan horse open a graphics file when first run.
Troj/BagleDl-AN attempts to download files from a number of
pre-specified URLs to the file <Windows\exefld\<random number>.exe
and run it.
When first run Troj/BagleDl-AN copies itself to <System>\anti_troj.exe.
The following registry entries are created to run antiav_exe.exe on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
anti_troj
<System>\anti_troj.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
anti_troj
<System>\anti_troj.exe
Troj/BagleDl-AN also sets the following registry entry:
HKCU\Software\FirstRRRun
FirstRRRun
Name Troj/Bckdr-AWR
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
Aliases
* BackDoor-AWQ.b
Prevalence (1-5) 2
Description
Troj/Bckdr-AWR is a Trojan for the Windows platform.
Troj/Bckdr-AWR includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run Troj/Bckdr-AWR copies itself to <Windows>\Windows.exe.
The file Windows.exe is registered as a new system driver service
with a service name and display name that contains non-Roman
characters and a startup type of automatic, so that the service is
started automatically during system startup.
Advanced
Troj/Bckdr-AWR is a Trojan for the Windows platform.
Troj/Bckdr-AWR includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run Troj/Bckdr-AWR copies itself to <Windows>\Windows.exe.
The file Windows.exe is registered as a new system driver service
with a service name and display name that contains non-Roman
characters and a startup type of automatic, so that the service is
started automatically during system startup. Registry entries are
created under:
HKLM\SYSTEM\CurrentControlSet\Services\<service name>\
Name Troj/Small-CAM
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Aliases
* Trojan-Downloader.Win32.Small.cam
Prevalence (1-5) 2
Description
Troj/Small-CAM is a Trojan for the Windows platform.
Troj/Small-CAM includes functionality to download additional files
from a remote site.
Name Troj/Fasong-B
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
Aliases
* Trojan-PSW.Win32.Lmir.apk
Prevalence (1-5) 2
Description
Troj/Fasong-B is a Trojan for the Windows platform.
Advanced
Troj/Fasong-B is a Trojan for the Windows platform.
When Troj/Fasong-B is installed the following files are created:
\Programma's\jajlee.dll
\Programma's\svchost.exe
\filedebug
Registry entries are created under:
HKCR\BFWorkFile1007PV\
The file jajlee.dll is registered as a COM object and ShellExecute
hook, creating registry entries under:
HKCR\CLSID\(78E611A2-E484-4A0D-811E-C40100A3F452)
HKCR\jajlee.ShellExecuteHook1007\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHoo
ks\
Name W32/Rbot-BBB
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Win32.Rbot.age
* W32/Sdbot.worm.gen.bh
Prevalence (1-5) 2
Description
W32/Rbot-BBB is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Rbot-BBB runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Rbot-BBB spreads to remote network shares protected by weak
passwords and to computers vulnerable to common exploits, including
LSASS (MS04-011), RPC-DCOM , (MS04-012), WebDav (MS03-007), IIS5SSL
(MS04-011) (CAN-2003-0719), UPNP (MS01-059), Dameware (CAN-2003-1030)
and ASN.1 (MS04-007).
Advanced
W32/Rbot-BBB is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Rbot-BBB runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Rbot-BBB spreads to remote network shares protected by weak
passwords and to computers vulnerable to common exploits, including
LSASS (MS04-011), RPC-DCOM , (MS04-012), WebDav (MS03-007), IIS5SSL
(MS04-011) (CAN-2003-0719), UPNP (MS01-059), Dameware (CAN-2003-1030)
and ASN.1 (MS04-007).
When first run W32/Rbot-BBB copies itself to <System>\MSGUPDAT32.EXE.
The following registry entries are created to run MSGUPDAT32.EXE on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MICROSFT RAMA UPDATE SUPPORT
MSGUPDAT32.EXE
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
MICROSFT RAMA UPDATE SUPPORT
MSGUPDAT32.EXE
The following registry entry is set:
HKCU\Software\Microsoft\OLE
MICROSFT RAMA UPDATE SUPPORT
MSGUPDAT32.EXE
Name W32/Sdbot-AGZ
Type
* Spyware Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Drops more malware
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Used in DOS attacks
Prevalence (1-5) 2
Description
W32/Sdbot-AGZ is a network worm with backdoor functionality for the
Windows platform.
Advanced
W32/Sdbot-AGZ is a network worm with backdoor functionality for the
Windows platform.
When first run, W32/Sdbot-AGZ copies itself to the Windows system
folder as flxper.exe and creates the following registry entries in
order to run each time a user logs on:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
NotFaut
"flxper.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NotFaut
"flxper.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
NotFaut
"flxper.exe"
The worm spreads through network shares protected by weak passwords,
MS-SQL servers and through various operating system vulnerabilities.
W32/Sdbot-AGZ connects to a predetermined IRC channel and awaits
further commands from remote users. The backdoor component of
W32/Sdbot-AGZ can be instructed to perform the following functions:
scan networks for vulnerabilities
download/execute arbitrary files
start an ftp server
W32/Sdbot-AGZ has also been seen bundled with Troj/Ranck-DJ.
Name Troj/Stinx-M
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Installs itself in the Registry
* Used in DOS attacks
Aliases
* BKDR_BREPLIBOT.M
* Backdoor.Win32.Breplibot.n
Prevalence (1-5) 2
Description
Troj/Stinx-M is a backdoor Trojan for the Windows platform.
Troj/Stinx-M can be instructed to delete, download and execute files.
Advanced
Troj/Stinx-M is a backdoor Trojan for the Windows platform.
Troj/Stinx-M connects to one of several IP addresses and runs
continuously in the background, providing a backdoor server which
allows a remote intruder to gain access and control over the computer
via IRC channels.
When first run Troj/Stinx-M copies itself to <System>\csrdeu32.exe
and creates the following files:
<Temp>\159.bat (may be safely deleted)
<Temp>\436.bat (may be safely deleted)
The following registry entries are created to run csrdeu32.exe on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
TaskControlLog
csrdeu32.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
TaskControlLog
csrdeu32.exe
Troj/Stinx-M can be instructed to delete, download and execute files.
Troj/Stinx-M will attempt to circumvent the Windows Firewall if it is
present by adding itself to the list of allowed programs.
Troj/Stinx-M may arrive as an email attachment wherein it is claimed
that the attached file is a photograph to be published that requires
approval.
Name Troj/Dloadr-ABQ
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Aliases
* Trojan-Downloader.Win32.Agent.aap
* Downloader-AFM
Prevalence (1-5) 2
Description
Troj/Dloadr-ABQ is a Trojan for the Windows platform.
Troj/Dloadr-ABQ includes functionality to download, install and run
new software.
Advanced
Troj/Dloadr-ABQ is a Trojan for the Windows platform.
Troj/Dloadr-ABQ includes functionality to download, install and run
new software.
The Troj/Dloadr-ABQ is registered as a COM object, creating registry
entries under:
HKCR\CLSID\{57BC7883-DC91-4FD1-9990-17CF340FA2C7}
HKCR\CLSID\{F1B8F486-E9BA-494C-90E0-5CCFAF307BAD}
HKCR\Interface\{051B96E7-7B96-4D2B-8ABF-ED9EA8909978}
HKCR\Interface\{B913EE78-0814-40A5-98AB-020BA700325E}
HKCR\SETUP.SETUPCtrl.1\
HKCR\TypeLib\{A521AA90-1E07-4AF0-8C96-5F6EDD54E99E}
Name Troj/Borobot-X
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Used in DOS attacks
Prevalence (1-5) 2
Description
Troj/Borobot-X is a Trojan for the Windows platform.
Troj/Borobot-X connects to a remote IRC server and awaits commands
from attackers.
Advanced
Troj/Borobot-X is a Trojan for the Windows platform.
When first run, Troj/Borobot-X copies itself to the Windows system
folder as SMSS.EXE and creates the following registry entry in order
to run each time a user logs on:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
smss
"<Windows system folder>\SMSS.EXE"
Troj/Borobot-X connects to a remote IRC server and awaits commands
from attackers.
The Trojan attempts to terminate the following security related
processes:
kavsvc
navapsvc
SAVScan
SharedAccess
Symantec Core LC
wscsvc
wuauserv
Troj/Borobot-X also deletes the following registry entry if it exists:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
KavPersonal50
Troj/Borobot-X can be used by remote attackers as an email relay.
Name Troj/Dumador-ET
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Modifies data on the computer
* Drops more malware
* Downloads code from the internet
* Records keystrokes
* Installs itself in the Registry
* Leaves non-infected files on computer
Aliases
* Backdoor.Win32.Dumador.et
* W32/Dumaru.gen@MM
Prevalence (1-5) 2
Description
Troj/Dumador-ET is a Trojan for the Windows platform.
Advanced
Troj/Dumador-ET is a Trojan for the Windows platform.
When first run Troj/Dumador-ET copies itself to <System>\winldra.exe
and creates the following files:
<Windows>\dvpd.dll
<Windows>\netdx.dat
<Windows>\sendlogs_dat
<Temp>\fe43e701.htm
The file dvpd.dll is detected as Troj/Dumaru-BR.
The following registry entry is created to run winldra.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
load32
<System>\winldra.exe
Troj/Dumador-ET changes settings for Microsoft Internet Explorer by
modifying values under:
HKCU\Software\Microsoft\Internet Explorer\Main\
Registry entries are created under:
HKCU\Software\SARS\
Name Troj/Mainzz-F
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Exploits system or software vulnerabilities
* Dropped by malware
Aliases
* Net-Worm.Win32.Dedler.q
* Exploit-Lsass.dll
* Hacktool.Scan
Prevalence (1-5) 2
Description
Troj/Mainzz-F is a Trojan DLL that provides malicious functionality
to another worm or Trojan.
Troj/Mainzz-F contains functionality to exploit the LSASS (MS04-011)
vulnerability and may be used by a worm to spread to remote network
shares with weak passwords.
Name W32/Rbot-BCC
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Win32.Rbot.akx
Prevalence (1-5) 2
Description
W32/Rbot-BCC is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Rbot-BCC runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
The worm attempts to spread by copying itself to remote network
shares with weak passwords and by exploiting the following system
vulnerabilities: LSASS (MS04-011), RPC-DCOM (MS04-012), WebDav
(MS03-007) and UPNP (MS01-059).
Advanced
W32/Rbot-BCC is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Rbot-BCC runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
The worm attempts to spread by copying itself to remote network
shares with weak passwords and by exploiting the following system
vulnerabilities: LSASS (MS04-011), RPC-DCOM (MS04-012), WebDav
(MS03-007) and UPNP (MS01-059).
When first run W32/Rbot-BCC copies itself to <System>\logonnui.exe.
The following registry entries are created to run logonnui.exe on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Logon User Interface
logonnui.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Logon User Interface
logonnui.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Logon User Interface
logonnui.exe
Registry entries are set as follows:
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
Name Troj/Bancban-LZ
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
* Installs itself in the Registry
Aliases
* Trojan-Spy.Win32.Banker.ahy
* PWS-Banker.gen.b
Prevalence (1-5) 2
Description
Troj/Bancban-LZ is a Trojan for the Windows platform.
Troj/Bancban-LZ includes functionality to send notification messages
to remote locations.
Advanced
Troj/Bancban-LZ is a Trojan for the Windows platform.
Troj/Bancban-LZ includes functionality to send notification messages
to remote locations.
When first run Troj/Bancban-LZ copies itself to <Windows>\wupdmgr.exe.
The following registry entry is created to run Troj/Bancban-LZ on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Update
<Windows>\wupdmgr.exe
Name Troj/Nuclear-O
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
Aliases
* Backdoor.Win32.Nuclear.r
Prevalence (1-5) 2
Description
Troj/Nuclear-O is a backdoor Trojan for the Windows platform.
Advanced
Troj/Nuclear-O is a backdoor Trojan for the Windows platform.
When first run Troj/Nuclear-O copies itself to <Program Files>\nr\My
File\Huge\Long\Path\example.exe and creates the file <Program
Files>\nr\My File\Huge\Long\Path\example.dll.
Registry entries are created under:
HKCR\dllfile\shell\open\command\
Name Troj/Zapchas-AF
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Drops more malware
* Installs itself in the Registry
* Leaves non-infected files on computer
Aliases
* Backdoor.IRC.Zapchast
* IRC/Flood.gen.dr
Prevalence (1-5) 2
Description
Troj/Zapchas-AF is a backdoor Trojan for the Windows platform.
Troj/Zapchas-AF runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
Advanced
Troj/Zapchas-AF is a backdoor Trojan for the Windows platform.
Troj/Zapchas-AF runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
Troj/Zapchas-AF includes functionality to access the internet and
communicate with a remote server via HTTP.
When Troj/Zapchas-AF is installed the following files are created:
<System>\drivers\nVIDIA\ymsg\aliases.ini
<System>\drivers\nVIDIA\ymsg\control.ini
<System>\drivers\nVIDIA\ymsg\fullname.txt
<System>\drivers\nVIDIA\ymsg\ident.txt
<System>\drivers\nVIDIA\ymsg\mirc.ico
<System>\drivers\nVIDIA\ymsg\mirc.ini
<System>\drivers\nVIDIA\ymsg\nicks.txt
<System>\drivers\nVIDIA\ymsg\remote.ini
<System>\drivers\nVIDIA\ymsg\script.ini
<System>\drivers\nVIDIA\ymsg\servers.ini
<System>\drivers\nVIDIA\ymsg\sup.bat
<System>\drivers\nVIDIA\ymsg\sup.reg
<System>\drivers\nVIDIA\ymsg\svchost.exe
<System>\drivers\nVIDIA\ymsg\users.ini
The file svchost.exe is an IRC application that has been infected
with W32/Parite-B.
The following registry entries are set or modified, so that
svchost.exe is run when files with extensions of CHA and IRC are
opened/launched:
HKCR\ChatFile\Shell\open\command
(default)
<System>\drivers\nVIDIA\ymsg\svchost.exe" -noconnect
HKCR\irc\Shell\open\command
(default)
<System>\drivers\nVIDIA\ymsg\svchost.exe" -noconnect
Registry entries are set as follows:
HKCR\ChatFile\DefaultIcon
(default)
<System>\drivers\nVIDIA\ymsg\svchost.exe
HKCR\irc\DefaultIcon
(default)
<System>\drivers\nVIDIA\ymsg\svchost.exe
Registry entries are created under:
HKCU\Software\Microsoft\Microsoft Agent\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mIRC\
Name Troj/Dloadr-ACM
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Prevalence (1-5) 2
Description
Troj/Dloadr-ACA is a downloader Trojan for the Windows platform.
Advanced
Troj/Dloadr-ACM is a downloader Trojan for the Windows platform.
Troj/Dloadr-ACM includes functionality to download, install and run
new software.
When Troj/Dloadr-ACM is installed, the following files are downloaded
and installed:
<System>\snddrv32.dll
<System>\sndctl32.dll
<System>\svcclient.exe
<System>\svcctl32.exe
At the time of writing the downloaded files are detected by Sophos's
anti-virus products as Troj/Dcmbot-H.
--- MultiMail/Win32 v0.43
* Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)
|