Tillbaka till svenska Fidonet
English   Information   Debug  
TRAPDOOR   0/19
TREK   0/755
TUB   0/290
UFO   0/40
UNIX   0/1316
USA_EURLINK   0/102
USR_MODEMS   0/1
VATICAN   0/2740
VIETNAM_VETS   0/14
VIRUS   0/378
VIRUS_INFO   0/201
VISUAL_BASIC   0/473
WHITEHOUSE   0/5187
WIN2000   0/101
WIN32   0/30
WIN95   0/4289
WIN95_OLD1   0/70272
WINDOWS   0/1517
WWB_SYSOP   0/419
WWB_TECH   0/810
ZCC-PUBLIC   0/1
ZEC   4

 
4DOS   0/134
ABORTION   0/7
ALASKA_CHAT   0/506
ALLFIX_FILE   0/1313
ALLFIX_FILE_OLD1   0/7997
ALT_DOS   0/152
AMATEUR_RADIO   0/1039
AMIGASALE   0/14
AMIGA   0/331
AMIGA_INT   0/1
AMIGA_PROG   0/20
AMIGA_SYSOP   0/26
ANIME   0/15
ARGUS   0/924
ASCII_ART   0/340
ASIAN_LINK   0/651
ASTRONOMY   0/417
AUDIO   0/92
AUTOMOBILE_RACING   0/105
BABYLON5   0/17862
BAG   135
BATPOWER   0/361
BBBS.ENGLISH   0/382
BBSLAW   0/109
BBS_ADS   0/5290
BBS_INTERNET   0/507
BIBLE   0/3563
BINKD   0/1119
BINKLEY   0/215
BLUEWAVE   0/2173
CABLE_MODEMS   0/25
CBM   0/46
CDRECORD   0/66
CDROM   0/20
CLASSIC_COMPUTER   0/378
COMICS   0/15
CONSPRCY   0/899
COOKING   33421
COOKING_OLD1   0/24719
COOKING_OLD2   0/40862
COOKING_OLD3   0/37489
COOKING_OLD4   0/35496
COOKING_OLD5   9370
C_ECHO   0/189
C_PLUSPLUS   0/31
DIRTY_DOZEN   0/201
DOORGAMES   0/2065
DOS_INTERNET   0/196
duplikat   6002
ECHOLIST   0/18295
EC_SUPPORT   0/318
ELECTRONICS   0/359
ELEKTRONIK.GER   1534
ENET.LINGUISTIC   0/13
ENET.POLITICS   0/4
ENET.SOFT   0/11701
ENET.SYSOP   33945
ENET.TALKS   0/32
ENGLISH_TUTOR   0/2000
EVOLUTION   0/1335
FDECHO   0/217
FDN_ANNOUNCE   0/7068
FIDONEWS   24159
FIDONEWS_OLD1   0/49742
FIDONEWS_OLD2   0/35949
FIDONEWS_OLD3   0/30874
FIDONEWS_OLD4   0/37224
FIDO_SYSOP   12852
FIDO_UTIL   0/180
FILEFIND   0/209
FILEGATE   0/212
FILM   0/18
FNEWS_PUBLISH   4436
FN_SYSOP   41707
FN_SYSOP_OLD1   71952
FTP_FIDO   0/2
FTSC_PUBLIC   0/13613
FUNNY   0/4886
GENEALOGY.EUR   0/71
GET_INFO   105
GOLDED   0/408
HAM   0/16074
HOLYSMOKE   0/6791
HOT_SITES   0/1
HTMLEDIT   0/71
HUB203   466
HUB_100   264
HUB_400   39
HUMOR   0/29
IC   0/2851
INTERNET   0/424
INTERUSER   0/3
IP_CONNECT   719
JAMNNTPD   0/233
JAMTLAND   0/47
KATTY_KORNER   0/41
LAN   0/16
LINUX-USER   0/19
LINUXHELP   0/1155
LINUX   0/22112
LINUX_BBS   0/957
mail   18.68
mail_fore_ok   249
MENSA   0/341
MODERATOR   0/102
MONTE   0/992
MOSCOW_OKLAHOMA   0/1245
MUFFIN   0/783
MUSIC   0/321
N203_STAT   930
N203_SYSCHAT   313
NET203   321
NET204   69
NET_DEV   0/10
NORD.ADMIN   0/101
NORD.CHAT   0/2572
NORD.FIDONET   189
NORD.HARDWARE   0/28
NORD.KULTUR   0/114
NORD.PROG   0/32
NORD.SOFTWARE   0/88
NORD.TEKNIK   0/58
NORD   0/453
OCCULT_CHAT   0/93
OS2BBS   0/787
OS2DOSBBS   0/580
OS2HW   0/42
OS2INET   0/37
OS2LAN   0/134
OS2PROG   0/36
OS2REXX   0/113
OS2USER-L   207
OS2   0/4786
OSDEBATE   0/18996
PASCAL   0/490
PERL   0/457
PHP   0/45
POINTS   0/405
POLITICS   0/29554
POL_INC   0/14731
PSION   103
R20_ADMIN   1123
R20_AMATORRADIO   0/2
R20_BEST_OF_FIDONET   13
R20_CHAT   0/893
R20_DEPP   0/3
R20_DEV   399
R20_ECHO2   1379
R20_ECHOPRES   0/35
R20_ESTAT   0/719
R20_FIDONETPROG...
...RAM.MYPOINT
  0/2
R20_FIDONETPROGRAM   0/22
R20_FIDONET   0/248
R20_FILEFIND   0/24
R20_FILEFOUND   0/22
R20_HIFI   0/3
R20_INFO2   3249
R20_INTERNET   0/12940
R20_INTRESSE   0/60
R20_INTR_KOM   0/99
R20_KANDIDAT.CHAT   42
R20_KANDIDAT   28
R20_KOM_DEV   112
R20_KONTROLL   0/13300
R20_KORSET   0/18
R20_LOKALTRAFIK   0/24
R20_MODERATOR   0/1852
R20_NC   76
R20_NET200   245
R20_NETWORK.OTH...
...ERNETS
  0/13
R20_OPERATIVSYS...
...TEM.LINUX
  0/44
R20_PROGRAMVAROR   0/1
R20_REC2NEC   534
R20_SFOSM   0/341
R20_SF   0/108
R20_SPRAK.ENGLISH   0/1
R20_SQUISH   107
R20_TEST   2
R20_WORST_OF_FIDONET   12
RAR   0/9
RA_MULTI   106
RA_UTIL   0/162
REGCON.EUR   0/2056
REGCON   0/13
SCIENCE   0/1206
SF   0/239
SHAREWARE_SUPPORT   0/5146
SHAREWRE   0/14
SIMPSONS   0/169
STATS_OLD1   0/2539.065
STATS_OLD2   0/2530
STATS_OLD3   0/2395.095
STATS_OLD4   0/1692.25
SURVIVOR   0/495
SYSOPS_CORNER   0/3
SYSOP   0/84
TAGLINES   0/112
TEAMOS2   0/4530
TECH   0/2617
TEST.444   0/105
Möte VIRUS, 378 texter
 lista första sista föregående nästa
Text 102, 1911 rader
Skriven 2005-02-20 23:46:00 av KURT WISMER (1:123/140)
Ärende: News, Feb. 20 2005
==========================
[cut-n-paste from sophos.com]

Name   W32/MyDoom-O

Type  
    * Worm

How it spreads  
    * Email messages

Affected operating systems  
    * Windows

Aliases  
    * WORM_MYDOOM.M
    * I-Worm.Mydoom.m
    * W32/Mydoom.bb

Prevalence (1-5) 4

Description
W32/MyDoom-O is an email worm. When first run, the worm copies itself to 
either the Windows or Temp folders as java.exe, and adds one of the 
following registry entries to ensure that the copy is run each time 
Windows starts:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\JavaVM
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\JavaVM

W32/MyDoom-O also creates a file named services.exe in the Windows or 
Temp folder and runs the file. Services.exe is a backdoor component.

W32/MyDoom-O searches the hard disk email addresses. The worm searches 
files with the extensions PL*, PH*, TX*, HT*, ASP, TBB, SHT*, WAB, ADB 
and DBX and the Windows address book. In addition the worm may use an 
internet search engine to find more email addresses. The worm will send 
a query to the search engine using domain names from email addresses 
found on the hard disk and then examine the query results, searching for 
more addresses. The internet search engines used by W32/MyDoom-O and the 
percentage chance that each is used are:

www.google.com (45%)
search.lycos.com (22.5%)
search.yahoo.com (20%)
www.altavista.com (12.5%)

When choosing addresses to send itself to W32/MyDoom-O will avoid 
addresses which contain any of the following strings:

mailer-d
spam
abuse
master
sample
accoun
privacycertific
bugs
listserv
submit
ntivi
support
admin
page
the.bat
gold-certs
ca
feste
not
help
foo
no
soft
site
rating
me
you
your
someone
anyone
nothing
nobody
noone
info
winrar
winzip
rarsoft
sf.net
sourceforge
ripe.
arin.
google
gnu.
gmail
seclist
secur
bar.
foo.com
trend
update
uslis
domain
example
sophos
yahoo
spersk
panda
hotmail
msn.
msdn.
microsoft
sarc.
syma
avp

The email sent by the worm has a spoofed sender.

The subject line may be blank or one of the following:

hello
hi
error
status
test
report
delivery failed
Message could not be delivered
Mail System Error - Returned Mail
Delivery reports about your e-mail
Returned mail: see transcript for details
Returned mail: Data format error

The message text of the email is constructed from a set of optional 
strings within the worm. The message sent is blank or similar to one of 
the following messages:

Dear user of <domain>
Mail server administrator of <domain> would like to inform you that We 
have detected that your e-mail account has been used to send a large 
amount of unsolicited e-mail messages during this recent week. We 
suspect that your computer had been compromised by a recent virus and 
now runs a trojan proxy server. Please follow our instructions in the 
attachment file in order to keep your computer safe. Virtually yours
<domain> user support team.

The message could not be delivered

The original message was included as attachment

The original message was received at <time> from <address>

----- The following addresses had permanent fatal errors -----
<address>
----- Transcript of the session follows -----
... while talking to host <hostname>:>>> MAIL From:<address><<< 501 User 
unknown Session aborted>>> RCPT To:<address><<< 550 MAILBOX NOT FOUND

The message was undeliverable due to the following reason(s):
Your message was not delivered because the destination computer was not 
reachable within the allowed queue period. The amount of time a message 
is queued before it is returned depends on local configuration 
parameters. Most likely there is a network problem that prevented 
delivery, but it is also possible that the computer is turned off, or 
does not have a mail system running right now.

Your message was not delivered within <number> days: Mail server 
<hostname> is not responding. The following recipients did not receive 
this message: <address> Please reply to postmaster@<domain> if you feel 
this message to be in error.

The attached file may be named similarly to the recipient's username or 
domain or using one of the following names:

readme
instruction
transcript
mail
letter
file
text
attachment
document
message

with an optional extension of DOC, TXT, HTM, HTML and a final extension 
of EXE, COM, BAT, CMD, SCR or PIF. The attached file may also be a zip 
file containing a file named as described.





Name   W32/MyDoom-BC

Type  
    * Worm

How it spreads  
    * Email attachments

Affected operating systems  
    * Windows

Side effects  
    * Sends itself to email addresses found on the infected computer
    * Forges the sender's email address
    * Uses its own emailing engine
    * Installs itself in the Registry

Aliases  
    * Email-Worm.Win32.Mydoom.am
    * W32/Mydoom.bc@MM
    * W32/Mydoom.db@MM
    * Worm.Mydoom.M-2

Prevalence (1-5) 2

Description
W32/MyDoom-BC is an email worm for the Windows platform.

Email sent by the worm has characteristics similar to the following 
examples:

Subject line:

hi
error
test
Message could not be delivered

Message body:

Dear user of <domain>
Mail server administrator of <domain> would like to inform you that
We have detected that your e-mail account has been used to send a large
amount of unsolicited e-mail messages during this recent week.
We suspect that your computer had been compromised by a recent virus and now
runs a trojan proxy server.
Please follow our instructions in the attachment file
in order to keep your computer safe.
Virtually yours
<domain> user support team.

Attached file:

attachment.com
letter.zip
<username>.exe

Advanced
W32/MyDoom-BC is an email worm. When first run, the worm copies itself 
to either the Windows or Temp folders as java.exe, and adds one of the 
following registry entries to ensure that the copy is run each time 
Windows starts:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\JavaVM
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\JavaVM

W32/MyDoom-BC also creates a file named services.exe in the Windows or 
Temp folder and runs the file. Services.exe is a backdoor component.

W32/MyDoom-BC searches the hard disk email addresses. The worm searches 
files with the extensions PL*, PH*, TX*, HT*, ASP, TBB, SHT*, WAB, ADB 
and DBX and the Windows address book. In addition the worm may use an 
internet search engine to find more email addresses. The worm will send 
a query to the search engine using domain names from email addresses 
found on the hard disk and then examine the query results, searching for 
more addresses. The internet search engines used by W32/MyDoom-BC and 
the percentage chance that each is used are:

www.google.com (45%)
search.lycos.com (22.5%)
search.yahoo.com (20%)
www.altavista.com (12.5%)

When choosing addresses to send itself to W32/MyDoom-BC will avoid 
addresses which contain any of the following strings:

abuse
accoun
admin
anyone
arin.
avp
bar.
bugs
ca
domain
example
feste
foo
foo.com
gmail
gnu.
gold-certs
google
help
hotmail
info
listserv
mailer-d
master
me
microsoft
msdn.
msn.
no
nobody
noone
not
nothing
ntivi
page
panda
privacycertific
rarsoft
rating
ripe.
sample
sarc.
seclist
secur
sf.net
site
soft
someone
sophos
sourceforge
spam
spersk
submit
support
syma
the.bat
trend
update
uslis
winrar
winzip
yahoo
you
your

The email sent by the worm has a spoofed sender.

The subject line may be blank or one of the following:

hello
hi
error
status
test
report
delivery failed
Message could not be delivered
Mail System Error - Returned Mail
Delivery reports about your e-mail
Returned mail: see transcript for details
Returned mail: Data format error

The message text of the email is constructed from a set of optional 
strings within the worm. The message sent is blank or similar to one of 
the following messages:

Dear user of <domain>
Mail server administrator of <domain> would like to inform you that
We have detected that your e-mail account has been used to send a large
amount of unsolicited e-mail messages during this recent week.
We suspect that your computer had been compromised by a recent virus and now
runs a trojan proxy server.
Please follow our instructions in the attachment file
in order to keep your computer safe.
Virtually yours
<domain> user support team.

The message could not be delivered

The original message was included as attachment

The original message was received at <time> from <address>
----- The following addresses had permanent fatal errors -----
<address>
----- Transcript of the session follows -----
... while talking to host <hostname>:
>>> MAIL From:<address>
<<< 501 User unknown
Session aborted
>>> RCPT To:<address>
<<< 550 MAILBOX NOT FOUND

The message was undeliverable due to the following reason(s):
Your message was not delivered because the destination computer was
not reachable within the allowed queue period. The amount of time
a message is queued before it is returned depends on local configura-
tion parameters.
Most likely there is a network problem that prevented delivery, but
it is also possible that the computer is turned off, or does not
have a mail system running right now.
Your message was not delivered within <number> days:
Mail server <hostname> is not responding.
The following recipients did not receive this message:
<address>
Please reply to postmaster@<domain>
if you feel this message to be in error.

The attached file may be named similarly to the recipient's username or 
domain or using one of the following names:

attachment
document
file
instruction
letter
mail
message
readme
text
transcript

with an optional extension of DOC, TXT, HTM, HTML followed by a number 
of spaces and a final extension of EXE, COM, BAT, CMD, SCR or PIF. The 
attached file may also be a zip file containing a file named as 
described.

W32/MyDoom-BC drops a file named services.exe in the Windows or Temp 
folder and runs the file.

Services.exe adds the following registry entry

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
services
<Windows or Temp folder>\services.exe

W32/MyDoom-BC also attempts to download and run files from several 
websites.





Name   W32/Rbot-WF

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Allows others to access the computer
    * Modifies data on the computer
    * Deletes files off the computer
    * Steals information

Prevalence (1-5) 2

Description
W32/Rbot-WF is a worm with backdoor Trojan functionality.

W32/Rbot-WF is capable of spreading to computers on the local network 
protected by weak passwords after receiving the appropriate backdoor 
command. The worm can also spread by exploiting a number of software 
vulnerabilities.

W32/Rbot-WF will attempt to terminate a number of anti-virus and 
security related applications, along with other malware.

Advanced
W32/Rbot-WF is a worm with backdoor Trojan functionality.

W32/Rbot-WF is capable of spreading to computers on the local network 
protected by weak passwords after receiving the appropriate backdoor 
command.

W32/Rbot-WF will attempt to spread by exploiting the following 
vulnerabilities:

DCOM (MS04-012)
LSASS and IIS5SSL (MS04-011)
WebDav (MS03-007)
UPNP (MS01-059)
Buffer overflow in certain versions of DameWare (CAN-2003-1030)
Microsoft SQL servers with weak passwords
Backdoors left open by other malware

When first run, W32/Rbot-WF copies itself to the Windows system folder 
as SVCHOSTDLL.EXE and runs this copy of the worm. The copy will then 
attempt to delete the original file. In order to run each time a user 
logs in, W32/Rbot-WF will set the following registry entries:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MSN Beta
SVCHOSTdll.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
MSN Beta
SVCHOSTdll.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
MSN Beta
SVCHOSTdll.exe

The worm runs continuously in the background providing backdoor access 
to the infected computer over IRC channels.

W32/Rbot-WF will set the following registry entries in order to disable 
DCOM and close restrictions on IPC$ shares:

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1

W32/Rbot-WF can add and delete network shares and users on the infected 
computer.

W32/Rbot-WF will attempt to terminate the following processes:

bbeagle.exe
d3dupdate.exe
i11r54n4.exe
irun4.exe
msblast.exe,
MSBLAST.exe
msconfig.exe
mscvb32.exe
navapw32.exe
navw32.exe
netstat.exe
PandaAVEngine.exe
Penis32.exe
rate.exe
regedit.exe
ssate.exe
sysinfo.exe
SysMonXP.exe
teekids.exe
wincfg32.exe
taskmon.exe
winsys.exe
winupd.exe
zapro.exe
zonealarm.exe





Name   Troj/Lineage-D

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Steals information
    * Records keystrokes
    * Leaves non-infected files on computer

Prevalence (1-5) 2

Description
Troj/Lineage-D is a password-stealing Trojan for the Windows platform.

Troj/Lineage-D logs keystrokes for the game Lineage II and emails the 
author with the results.

Advanced
Troj/Lineage-D is a password-stealing Trojan for the Windows platform.

Troj/Lineage-D logs keystrokes for the game Lineage II and emails the 
author with the results.

Troj/Lineage-D copies itself to the Windows system folder as 
"ttplorer.exe" and creates a DLL keylogging component "ttinject.dll" as 
well as the text file "ttdata32.dll" to keep the keylog results.

Troj/Lineage-D creates the following registry entry to run itself 
automatically on system login or startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Scvhost
<Windows system>\ttplorer.exe





Name   W32/Assiral-A

Type  
    * Worm

How it spreads  
    * Email attachments
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Sends itself to email addresses found on the infected computer
    * Installs itself in the Registry
    * Leaves non-infected files on computer

Prevalence (1-5) 2

Description
W32/Assiral-A is a mass mailing worm which attempts to spread itself by 
sending emails with the following characteristics to addresses found in 
the victim's address book:

Subject: Re: LOV YA!

Body: Kindly read and reply to my LOVE LETTER in the attachments :-)

Attachment: LOVE_LETTER.TXT.exe

W32/Assiral-A will attempt to copy itself to floppy drives and network 
shares.

On opening the attachment, W32/Assiral-A will open a web page through 
Internet Explorer at geocities.com. W32/Assiral-A will attempt to modify 
Internet Explorer's homepage to the same page.

It will also attempt to kill off various security related applications 
and disable various capabilities of Windows.

Advanced
W32/Assiral-A will drop the following files into the system:

C:\message.txt
%Windows%\SpoolMgr.exe
%Windows%\love_letter.txt.exe
%System32%\MS_LARISSA.exe
C:\windows\winvbs_32.vbs
C:\windows\system32\reg_32.vbs
C:\larissa_anti_bropia.html

It will attempt to autostart itself with the following registry entries:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
MS_LARISSA = %system32%\MS_LARISSA.exe

HKLM\software\microsoft\windows\currentversion\run
spoolsv manager = %windows%\SpoolMgr.exe

And set the following registry entries:

HKCR\software\microsoft\windows\currentversion\policies\system\
noadminpage = 1

HKCR\software\microsoft\windows\currentversion\policies\explorer\
dword:03ffffff

HKCR\software\microsoft\windows\currentversion\policies\system\
disableregistrytools = 1

HKCR\software\microsoft\windows\currentversion\policies\explorer\
norun = 1

HKCR\software\microsoft\windows\currentversion\policies\winoldapp\
disabled = 1

HKCU\Software\Microsoft\WAB\
Contacts = <number of contact in outlook address book>

which will disable various administration functions in Windows.

W32/Assiral-A may periodically create a pop-up window to display the 
contents of C:\larissa_anti_bropia.html.





Name   W32/MyDoom-AS

Type  
    * Worm

How it spreads  
    * Email attachments
    * Peer-to-peer

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Sends itself to email addresses found on the infected computer
    * Forges the sender's email address
    * Uses its own emailing engine
    * Installs itself in the Registry

Aliases  
    * W32/Mydoom.ba@MM

Prevalence (1-5) 2

Description
W32/MyDoom-AS is a mass-mailing and peer-to-peer worm which emails 
itself as an attachment to addresses found on the infected computer.

When run W32/MyDoom-AS will launch Notepad with garbage which serves as 
a decoy.

W32/MyDoom-AS may also create a file hserv.sys in the Windows system 
folder. This file is non-malicious and can be safely deleted.

Advanced
W32/MyDoom-AS is a mass-mailing and peer-to-peer worm which emails 
itself as an attachment to addresses found on the infected computer.

When run the W32/MyDoom-AS will launch Notepad with garbage which serves 
as a decoy.

When first run the worm copies itself to the Windows system folder as 
lsasrv.exe and creates the following registry entry so as to auto-start 
on computer reboot:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
lsass
%SYSTEM%\lsasrv.exe

On Windows 2000 and Windows XP systems the worm will also modify the 
Explorer shell association by changing the following registry entry 
from:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
explorer

to:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
explorer %SYSTEM%\lsasrv.exe

W32/MyDoom-AS may also create a file hserv.sys in the Windows system 
folder. This file is non-malicious and can be safely deleted.

W32/MyDoom-AS will attempt to copy itself to peer-to-peer folders of 
KaZaa, Morpheus, iMesh, eDonkey2000 and LimeWire using the following 
filenames (with an extension chosen from: PIF, SCR, EXE OR BAT):

activation_crack
Ad-awareref01R349
adultpasswds
avpprokey
dcom_patches
icq2004-final
K-LiteCodecPack2.34a
NeroBROM6.3.1.27
winamp5
winxp_patch

The worm also attempts to remove previous startup registry entries of 
other malware which may be installed, terminate various anti-virus and 
security applications and prevent access to related websites by 
modifying the HOSTS file with the following entries:

127.0.0.1 grisoft.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.trendmicro.com
127.0.0.1 rads.mcafee.com
127.0.0.1 customer.symantec.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 updates.symantec.com
127.0.0.1 update.symantec.com
127.0.0.1 www.nai.com
127.0.0.1 secure.nai.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 mast.mcafee.com
127.0.0.1 ca.com
127.0.0.1 www.ca.com
127.0.0.1 www.networkassociates.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 kaspersky.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 viruslist.com
127.0.0.1 www.viruslist.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 mcafee.com
127.0.0.1 www.mcafee.com
127.0.0.1 sophos.com
127.0.0.1 www.sophos.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 www.symantec.com

W32/MyDoom-AS will harvest email addresses from files found on the 
infected computer with the following extensions:

ADB
ASA
ASC
ASM
ASP
CGI
CONF
CSP
DBX
DLT
DWT
EDM
HTA
HTC
HTM
INC
JS TPL
JSP
LBI
PHP
PL
RDF
RSS
SHT
SSI
STM
TBB
TXT
VB
VBS
WAB
WML
XHT
XML
XSD
XST

Emails generated by the worm have the following characteristics:

Subject lines are chosen from:

Good day
Do not reply to this email
hello
Mail Delivery System
Attention!!!
Mail Transaction Failed
Server Report
Status
Error

Message text is one of:

"Mail transaction failed. Partial message is available."

"The message contains Unicode characters and has been sent as
a binary attachment."

"The message cannot be represented in 7-bit ASCII encoding and
has been sent as a binary attachment."

"Do not visit these sites!!!"

"You have visited illegal websites.
I have a big list of the websites you surfed."

"You think it's funny? You are stupid idiot!!! I'll send
the attachment to your ISP and then I'll be watching
how you will go to jail, punk!!!"

"Your credit card was charged for $500 USD. For additional in
formation see the attachment"

"ESMTP [Secure Mail System #334]: Secure message is attached."

"Encrypted message is available."

"Delivered message is attached."

"Can you confirm it?"

"Binary message is available."

"am shocked about your document!"

"Are you a spammer? (I found your email on a spammer website!?!"

"Bad Gateway: The message has been attached."

"Attention! New self-spreading virus!

Be careful, a new self-spreading virus called 'RTSW.Smash' spreading 
very fast via e-mail and P2P networks. It's about two million people 
infected and it will be more.

To avoid your infection by this virus and to stop it we provide you with 
full information how to protect yourself against it and also including 
free remover. Your can find it in the attachment.

2004 Networks Associates Technology, Inc. All Rights Reserved"

"New terms and conditions for credit card holders

Here a new terms and conditions for credit card holders using a credit 
cards for making purchase in the Internet in the attachment. Please, 
read it carefully. If you are not agree with new terms and conditions do 
not use your credit card in the World Wide Web.

Thank you,

The World Bank Group
2004 The World Bank Group, All Rights Reserved"

"Thank you for registering at WORLDXXXPASS.COM

All your payment info, login and password you can find in the attachment 
file. It's a real good choise to go to WORLDXXXPASS.COM"

"Attention! Your IP was logged by The Internet Fraud Complaint Center

Your IP was logged by The Internet Fraud Complaint Center. There was a 
fraud attempt logged by The Internet Fraud Complaint Center from your 
IP. This is a serious crime, so all records was sent to the FBI. All 
information you can find in the attachment. Your IP was flagged and if 
there will be anover attemption you will be busted.

This message is brought to you by the Federal Bureau of Investigation 
and the National White Collar Crime Center"

"Here is your documents you are requested."

Attachment filenames are chosen from the following and can take one of 
these extensions (pif, scr, exe, cmd, bat, zip):

document
readme
doc
rules
file
data
docs
message
body





Name   W32/Poebot-H

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Steals information
    * Reduces system security
    * Installs itself in the Registry
    * Used in DOS attacks

Aliases  
    * Backdoor.Win32.PoeBot.a

Prevalence (1-5) 2

Description
W32/Poebot-H is a worm which attempts to spread to remote network shares 
with weak passwords. It also contains backdoor functionality allowing 
unauthorised remote access to the infected computer via IRC channels.

Advanced
W32/Poebot-H is a worm which attempts to spread to remote network shares 
with weak passwords. It also contains backdoor functionality allowing 
unauthorised remote access to the infected computer via IRC channels.

W32/Poebot-H allows a remote attacker to:

steal passwords.
download and execute files on the infected computer.
flood other computers with network packets.
retrieve system information.
execute arbitrary commands.

When run, the worm copies itself to the system folder as lssas.exe and 
sets the following registry entry in order to run when a user logs on:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Local Security Authority Service
<Windows system folder>\lssas.exe





Name   W32/Kipis-I

Type  
    * Worm

How it spreads  
    * Email attachments

Affected operating systems  
    * Windows

Side effects  
    * Sends itself to email addresses found on the infected computer
    * Forges the sender's email address
    * Uses its own emailing engine
    * Installs itself in the Registry

Aliases  
    * Email-Worm.Win32.Kipis.k

Prevalence (1-5) 2

Description
W32/Kipis-I is an email worm for the Windows platform.

The worm harvests email addresses from files with the following file 
extensions:

ADB
DBX
DOC
EML
HTM
HTML
TBB
TXT
UIN
XLS
XML

The email sent by W32/Kipis-I has the following properties:

Subjects:
Valentine's day
Present
your
Happy day
Happy Valentine's day
your love
here
hi
you my love..
Re: My porno

Message texts:

With the coming Valentine's day! I very much love you. Please see
my flash present.

I congratulate on the coming Valentine's day! My gift to you.

love you! :),congratulate!"

Thank you!!!

----Original Message----
From: <random address>
To: <random address>
Sent: <time/date>
Subject: My porno

Attached file:

your present
present
flash love
love
Valentine
porn
porno_03
Joke
nude
My nude_04

Attachment extension:

.scr
.exe

From:
<current user>
adam
alex
anna
brenda
dana
dave
linda
liza
maria
mary
mike
rosa
sandra
stan
stiv

Note: The "from" field consists of one of the above names and "@<domain 
names found when harvesting email addresses>"

W32/Kipis-I will not send emails to addresses which contain any of the 
following strings:

.edu
.gov
abuse
accoun
antivir
bitdefen
borlan
bugs
cafee
contact
drweb
e-trust-
f-prot
foo.
help
icrosoft
info
iruslis
kaspersky
klamav
listserv
mailer
messagelab
news
newviru
nod32
nodomai
norman
panda
podpiska
privacy
rar
rating
register
ripe.
sales
secur
sendmail
service
soft
software.
sopho
support
sybari
symante
virus
webmaster
winrar
winzip

W32/Kipis-I also opens a backdoor to download remote files.

Advanced
W32/Kipis-I is an email worm for the Windows platform.

When first run, W32/Kipis-I copies itself to the following locations:

<Windows folder>/regedit.com
<Windows system folder>/Microsoft/svchost.exe
<Windows system folder>/netstat.com

Note: The trick used here by W32/Kipis-I takes advantage of the way the
operating system searches for files. When a user types "netstat" at a
command prompt, Windows will first look for netstat.com, netstat.exe and
then other possible file extensions. This fact causes the worm copy to 
run instead of the intended file.

W32/Kipis-I creates the following registry entry in order to run each 
time a program is loaded on the computer:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
"Explorer.exe <Windows system folder>\Microsoft\svchost.exe"

The worm harvests email addresses from files with the following file
extensions:

ADB
DBX
DOC
EML
HTM
HTML
TBB
TXT
UIN
XLS
XML

The email sent by W32/Kipis-I has the following properties:

Subjects:
Valentine's day
Present
your
Happy day
Happy Valentine's day
your love
here
hi
you my love..
Re: My porno

Message texts:

With the coming Valentine's day! I very much love you. Please see
my flash present.

I congratulate on the coming Valentine's day! My gift to you.

love you! :),congratulate!"

Thank you!!!

----Original Message----
From: <random address>
To: <random address>
Sent: <time/date>
Subject: My porno

Attached file:

your present
present
flash love
love
Valentine
porn
porno_03
Joke
nude
My nude_04

Attachment extension:

.scr
.exe

From:
<current user>
adam
alex
anna
brenda
dana
dave
linda
liza
maria
mary
mike
rosa
sandra
stan
stiv

Note: The "from" field consists of one of the above names and "@<domain 
names found when harvesting email addresses>"

W32/Kipis-I will not send emails to addresses which contain any of the
following strings:

.edu
.gov
abuse
accoun
antivir
bitdefen
borlan
bugs
cafee
contact
drweb
e-trust-
f-prot
foo.
help
icrosoft
info
iruslis
kaspersky
klamav
listserv
mailer
messagelab
news
newviru
nod32
nodomai
norman
panda
podpiska
privacy
rar
rating
register
ripe.
sales
secur
sendmail
service
soft
software.
sopho
support
sybari
symante
virus
webmaster
winrar
winzip

W32/Kipis-I also opens a backdoor on port 1988 and listens for incoming 
connections. The backdoor can be used to download remote files.





Name   W32/Rbot-WB

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Steals information
    * Downloads code from the internet
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Aliases  
    * Backdoor.Win32.SdBot.ve
    * W32/Sdbot.worm.gen.y

Prevalence (1-5) 2

Description
W32/Rbot-WB is a worm with backdoor Trojan functionality.

W32/Rbot-WB is capable of spreading to computers on the local network 
protected by weak passwords after receiving the appropriate backdoor 
command.

W32/Rbot-WB may also spread by exploiting the following vulnerabilities:

LSASS (MS04-011)
DCOM (MS04-012)
Microsoft SQL servers with weak passwords.

Advanced
When first run, W32/Rbot-WB copies itself to the Windows system folder 
as RPC.EXE and runs this copy of the worm. The copy will then attempt to 
delete the original file. In order to run each time Windows is started, 
W32/Rbot-WB will set the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsofts MediaScope = winmep.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsofts MediaScope = winmep.exe

W32/Rbot-WB may also set the following registry entry:

HKCU\Software\Microsoft\OLE\
Microsofts MediaScope = winmep.exe

The worm runs continuously in the background providing backdoor access 
to the infected computer.

The backdoor component of W32/Rbot-WB can be used to:

Initiate distributed denial-of-service (DDOS) attacks using ICMP, SYN,
UDP, PING, ACK and TCP flooding.
Redirect TCP and SOCKS4 traffic.
Provide a remote login shell.
Download, upload, delete and execute files.
Set up an HTTP, TFTP and FTP file server.
Steal passwords (including PayPal account information).
Log key presses.
Capture screenshots.
Capture webcam pictures and videos.
List and kill processes.
Stop, start, pause and delete services.
Open and close vulnerabilities.
Port scan for vulnerabilities on other remote computers.
Send emails as specified by the remote user.
Flush the DNS and ARP caches.
Shut down and reboot the computer.
Add and delete network shares and users.
Sniff network traffic for passwords.

W32/Rbot-WB may be used to steal registration and key details from 
various computer games and applications.

W32/Rbot-WB may alter the following registry entries in order to 
enable/disable DCOM and open/close restrictions on IPC$ shares:

HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous

HKLM\SYSTEM\ControlSet\Control\Lsa\restrictanonymous

W32/Rbot-WB may add and delete network shares and users on the infected 
computer.





Name   W32/Poebot-A

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Modifies data on the computer
    * Steals information
    * Downloads code from the internet
    * Reduces system security

Aliases  
    * Backdoor.Win32.PoeBot.a

Prevalence (1-5) 2

Description
W32/Poebot-A is a network worm with backdoor Trojan functionality for 
the Windows platform.

The worm spreads through network shares protected by weak passwords.

The backdoor component joins a predetermined IRC channel and awaits 
further commands from a remote user.

Advanced
W32/Poebot-A is a network worm with backdoor Trojan functionality for 
the Windows platform.

The worm spreads through network shares protected by weak passwords.

When first run, W32/Poebot-A copies itself to the Windows system folder 
as lssas.exe and creates the following registry entries in order to run 
each time a user logs on:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Local Security Authority Service
"<Windows system folder>\lssas.exe"

The backdoor component joins a predetermined IRC channel and awaits 
further commands from a remote user.





Name   W32/Sdbot-VH

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Allows others to access the computer
    * Steals information
    * Downloads code from the internet
    * Reduces system security

Prevalence (1-5) 2

Description
W32/Sdbot-VH is a network worm with backdoor functionality for the 
Windows platform.

The worm spreads through network shares protected by weak passwords, 
MS-SQL servers and through various operating system vulnerabilities.

W32/Sdbot-VH connects to a predetermined IRC channel and awaits further 
commands from remote users.

Advanced
W32/Sdbot-VH is a network worm with backdoor functionality for the 
Windows platform.

When first run, W32/Sdbot-VH copies itself to the Windows system folder 
as "svhost.exe" and creates the following registry entries in order to 
run each time a user logs on:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Win32 Loader
svhost.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Win32 Loader
svhost.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Win32 Loader
svhost.exe

The worm spreads through network shares protected by weak passwords, 
MS-SQL servers and through various operating system vulnerabilities.

W32/Sdbot-VH connects to a predetermined IRC channel and awaits further 
commands from remote users. The backdoor component of W32/Sdbot-VH can 
be instructed to perform the following functions:

scan networks for vulnerabilities
download/execute arbitrary files
start an ftp server
take part in distributed denial of service (DDoS) attacks

Patches for the vulnerabilities exploited by W32/Sdbot-VH can be 
obtained from Microsoft at:

http://www.microsoft.com/technet/security/bulletin/ms03-039.mspx
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx





Name   W32/Sdbot-SB

Type  
    * Worm

Affected operating systems  
    * Windows

Side effects  
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities
    * Dropped by malware

Prevalence (1-5) 2

Description
W32/Sdbot-SB is a member of the W32/Sdbot family of worms with a 
backdoor component.

Advanced
W32/Sdbot-SB is a member of the W32/Sdbot family of worms with a 
backdoor component.

In order to run automatically when Windows starts up the worm copies 
itself to the file winprotect.exe in the Windows system folderand adds 
the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\winprotect
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\winprotect

W32/Sdbot-SB is dropped by Troj/Wurmark-B.





Name   W32/Codbot-C

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Steals information
    * Downloads code from the internet
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Aliases  
    * W32/Sdbot.worm.gen.j

Prevalence (1-5) 2

Description
W32/Codbot-C is a backdoor Trojan containing functionality to spread via 
network shares.

The worm connects to an IRC channel and listens for backdoor commands 
from a remote attacker. The backdoor functionality of the worm includes 
the ability to sniff packets, download further malicious code and steal 
passwords and other system information.

W32/Codbot-C may attempt to exploit a number of vulnerabilities, 
including the LSASS vulnerability (MS04-011).

Advanced
W32/Codbot-C is a backdoor Trojan containing functionality to spread via 
network shares.

The worm connects to an IRC channel and listens for backdoor commands 
from a remote attacker. The backdoor functionality of the worm includes 
the ability to sniff packets, download further malicious code and steal 
passwords and other system information.

When first run, W32/Codbot-C copies itself to the Windows system folder 
as MAPI32.EXE and installs itself as a service with service name 
"Extended MAPI Function Handler" and display name "Handling the loading 
of the MAPI API."

W32/Codbot-C may make the following change to the system registry:

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
"N"

W32/Codbot-C may attempt to exploit a number of vulnerabilities, 
including the LSASS vulnerability (MS04-011).





Name   Troj/PurScan-V

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet

Prevalence (1-5) 2

Description
Troj/PurScan-V is a downloader for an advertising-related application.

The Trojan connects to a preconfigured website and downloads files 
relevant to a specific advertising campaign.





Name   W32/Forbot-EC

Type  
    * Worm

How it spreads  
    * Chat programs

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Steals information
    * Downloads code from the internet
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Aliases  
    * Backdoor.Win32.PdPinch.gen
    * WORM_WOOTBOT.GEN

Prevalence (1-5) 2

Description
W32/Forbot-EC is a network worm with backdoor functionality for the 
Windows platform. The worm allows unauthorised remote access to the 
infected system via IRC channels while running in the background as a 
service process. The worm may also spread by DCC.

W32/Forbot-EC exploits various vulnerabilities, including the LSASS 
vulnerability (see MS04-011).

The backdoor functionality of the worm includes being able to act as a 
proxy, sniff packets, download updates, delete network shares and steal 
keys for various software products.

Advanced
W32/Forbot-EC is a network worm with backdoor functionality for the 
Windows platform. The worm allows unauthorised remote access to the 
infected system via IRC channels while running in the background as a 
service process. The worm may also spread by DCC.

W32/Forbot-EC copies itself to the Windows system folder as EMP32.EXE 
and creates the following registry entries in order to run itself on 
system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Help Temp Files
emp32.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
Help Temp Files
emp32.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Help Temp Files
emp32.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Help Temp Files
emp32.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
Help Temp Files
emp32.exe

W32/Forbot-EC also registers itself as a service named 
"addicted-to.druggs.info" with the display name "Help Temp Files".

W32/Forbot-EC exploits various vulnerabilities, including the LSASS 
vulnerability (see MS04-011).

The backdoor functionality of the worm includes being able to act as a 
proxy, sniff packets, download updates, delete network shares and steal 
keys for various software products.





Name   W32/Codbot-B

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Steals information
    * Exploits system or software vulnerabilities
    * Used in DOS attacks

Prevalence (1-5) 2

Description
W32/Codbot-B is a backdoor which contains functionality to spread via 
network shares.

W32/Codbot-B contains backdoor functionality which includes packet 
sniffing and downloading further code,gathering system information and 
killing processes.

W32/Codbot-B may create Run and RunServices registry entries in order to 
run itself on system startup.

W32/Codbot-B may attempt to exploit a number of vulnerabilities.

Advanced
W32/Codbot-B is a backdoor which contains functionality to spread via 
network shares.

When first run, W32/Codbot-B copies itself to the Windows system folder 
as LSPOOL.EXE and installs this file as a service with servicename 
"Local Network Spooler" and display name " Loads files to memory for 
later outputing over the endpoint". The worm attempts to connect to an 
IRC channel and listens for backdoor commands from a remote attacker.

W32/Codbot-B contains backdoor functionality which includes packet 
sniffing and downloading further code,gathering system information and 
killing processes.

W32/Codbot-B may create Run and RunServices registry entries in order 
to run itself on system startup.

W32/Codbot-B may attempt to exploit a number of vulnerabilities.





Name   W32/Dopbot-A

Type  
    * Worm

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Allows others to access the computer
    * Downloads code from the internet
    * Reduces system security
    * Installs itself in the Registry

Aliases  
    * Backdoor.Win32.IRCBot.q
    * WORM_DOPBOT.A

Prevalence (1-5) 2

Description
W32/Dopbot-A is a network worm with backdoor functionality for the 
Windows platform.

W32/Dopbot-A spreads to remote network shares, computers already 
compromised by the Optix Trojan and computers vulnerable to the LSASS 
exploit - for more information see:

http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx

W32/Dopbot-A allows unauthorised remote access to the infected computer 
via IRC channels. Remote attackers can command W32/Dopbot-A to perform 
actions including:

download and run arbitrary files
scan other computers for vulnerabilities
flood other computers over the network
terminate processes (including firewall and Anti-virus processes)

W32/Dopbot-A also hardens the computer against further attacks by 
downloading a patch for the LSASS exploit from the Microsoft website and 
changing security settings.

Advanced
W32/Dopbot-A is a network worm with backdoor functionality for the 
Windows platform.

W32/Dopbot-A spreads to remote network shares, computers already 
compromised by the Optix Trojan and computers vulnerable to the LSASS 
exploit - for more information see:

http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx

W32/Dopbot-A allows unauthorised remote access to the infected computer 
via IRC channels. Remote attackers can command W32/Dopbot-A to perform 
actions including:

download and run arbitrary files
scan other computers for vulnerabilities
flood other computers over the network
terminate processes (including firewall and Anti-virus processes)

When first run, W32/Dopbot-A copies itself to the Windows system folder 
as "rund1132.exe" and creates the following registry entries in order to 
run automatically on computer startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
rund1132
<Windows system folder>\rund1132.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
rund1132
<Windows system folder>\rund1132.exe

W32/Dopbot-A also hardens the computer against further attacks by 
downloading a patch for the LSASS exploit from the Microsoft website and 
setting the following registry entries if they are not already set:

HKLM\SOFTWARE\Microsoft\Ole\
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
restrictanonymous
2

 
--- MultiMail/Win32 v0.43
 * Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)