Text 103, 1412 rader
Skriven 2005-02-26 19:42:00 av KURT WISMER (1:123/140)
Ärende: News, Feb. 26 2005
==========================
[cut-n-paste from sophos.com]
Name W32/Poebot-I
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Reduces system security
* Installs itself in the Registry
Aliases
* Backdoor.Win32.Poebot-I
* BKDR_POEBOT.B
Prevalence (1-5) 2
Description
W32/Poebot-I is a worm that attempts to spread to remote network shares
with weak passwords. W32/Poebot-I also contains backdoor functionality
allowing unauthorised remote access to the infected computer via IRC
channels.
Advanced
W32/Poebot-I is a worm that attempts to spread to remote network shares
with weak passwords. W32/Poebot-I also contains backdoor functionality
allowing unauthorised remote access to the infected computer via IRC
channels.
When run, the worm copies itself the System folder as winamp.exe and
sets the following registry entry in order to run when a user logs on:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Winamp Agent
<Windows system folder>\winamp.exe
Name W32/Sdranck-B
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Drops more malware
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Prevalence (1-5) 2
Description
W32/Sdranck-B is a multi-component network worm.
W32/Sdranck-B drops components detected by Sophos's anti-virus products
as W32/Sdbot-Fam and Troj/Ranck-CC.
The dropped Sdbot component spreads W32/Sdranck-B to network shares with
weak passwords and via network security exploits.
Advanced
W32/Sdranck-B is a multi-component network worm.
W32/Sdranck-B drops two files in the following locations:
C:\WINNT\SYSTEM32\ipazysud.exe
C:\WINNT\SYSTEM32\pinaduli.exe
W32/Sdranck-B then runs these files.
IPAZYSUD.EXE is a proxy Trojan detected as Troj/Ranck-CC. PINADULI.EXE
is a member of the W32/Sdbot family of network worms.
The latter file attempts to spread W32/Sdranck-B to network shares with
weak passwords and via network security exploits.
Name W32/Kelvir-A
Type
* Worm
How it spreads
* Chat programs
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Aliases
* IM-Worm.Win32.Kelvir.a
* W32/Kelvir.worm.a
Prevalence (1-5) 2
Description
W32/Kelvir-A is an instant messaging worm.
W32/Kelvir-A spreads by sending a message through Windows Messenger to
all of an infected user's contacts. The message encourages the recipient
to visit a web page to download an update and reads:
*** URGENT *** Download the latest patch from <URL> to prevent getting
infected by W32.Bropia.C.
Advanced
W32/Kelvir-A is an instant messaging worm.
W32/Kelvir-A spreads by sending a message through Windows Messenger to
all of an infected user's contacts. The message encourages the recipient
to visit a web page to download an update and reads:
*** URGENT *** Download the latest patch from <URL> to prevent getting
infected by W32.Bropia.C.
At the time of writing, this URL was unavailable.
W32/Kelvir-A will attempt to download a file named PATCH.EXE from a
remote website. At the time of writing, this file was unavailable.
Name W32/Sdbot-VN
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Modifies data on the computer
* Deletes files off the computer
* Steals information
* Downloads code from the internet
Prevalence (1-5) 2
Description
W32/Sdbot-VN is a network worm with backdoor Trojan functionality for
the Windows platform.
The worm joins a predetermined IRC channel and awaits further commands
from remote attackers.
The worm spreads through network shares protected by weak passwords.
Advanced
W32/Sdbot-VN is a network worm with backdoor Trojan functionality for
the Windows platform.
When first run, W32/Sdbot-VN copies itself to the Windows system folder
as msn16.exe and creates the following registry entries in order to run
each time a user logs on:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
MSN
msn16.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
MSN
msn16.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MSN
msn16.exe
The worm joins a predetermined IRC channel and awaits further commands
from remote attackers. The backdoor component can then be instructed to
perform the following:
take part in distributed denial of service (DDoS) attacks
upload/download/execute arbitrary files
add/remove network shares
scan networks for vulnerabilities
The worm spreads through network shares protected by weak passwords.
Name W32/Codbot-Gen
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Worms detected as W32/Codbot-Gen provide backdoor Trojan functionality
to a remote attacker via IRC channels. Such worms may spread to remote
network shares with weak passwords in response to a command from a
remote attacker.
Members of W32/Codbot family typically attempt to exploit
vulnerabilities, such as the LSASS vulnerability (MS04-011).
Advanced
Worms detected as W32/Codbot-Gen provide backdoor Trojan functionality
to a remote attacker via IRC channels. Such worms may spread to remote
network shares with weak passwords in response to a command from a
remote attacker.
Members of W32/Codbot family may copy themselves to the Windows system
folder and create entries in the following registry entries to run
themselves when the user logs on:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal
This backdoor functionality typically includes the ability to sniff
packets, download further malicious code and steal passwords and other
system information.
W32/Codbot worms may register themselves as service processes.
Members of W32/Codbot family typically attempt to exploit
vulnerabilities, such as the LSASS vulnerability (MS04-011).
Name Troj/Dloader-IE
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Aliases
* Trojan-Downloader.Win32.Delf.ij
Prevalence (1-5) 2
Description
Troj/Dloader-IE is a downloader Trojan for the Windows platform.
Troj/Dloader-IE will download a file from a predefined url. The
downloaded file will be in the windows folder as active_url.dll. The
downloaded file is a configuration file used to tell the Trojan other
files to download. The Trojan will also copy itself to the Windows
system folder as msapp.exe.
Advanced
Troj/Dloader-IE is a downloader Trojan for the Windows platform.
Troj/Dloader-IE will download a file from a predefined url. The
downloaded file will be in the windows folder as active_url.dll. The
downloaded file is a configuration file used to tell the Trojan other
files to download. The Trojan will also copy itself to the Windows
system folder as msapp.exe.
Troj/Dloader-IE will create or modify the following registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
msnmsgs.exe
<Windows system folder>\msapp.exe
Name W32/Agobot-QE
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Modifies data on the computer
* Steals information
* Downloads code from the internet
Prevalence (1-5) 2
Description
W32/Agobot-QE is a backdoor Trojan and worm which spreads to computers
protected by weak passwords.
Each time the Trojan is run it attempts to connect to a remote IRC
server and join a specific channel.
The Trojan then runs continuously in the background, allowing a remote
intruder to access and control the computer via IRC channels.
Advanced
W32/Agobot-QE is a backdoor Trojan and worm which spreads to computers
protected by weak passwords.
When first run, W32/Agobot-QE moves itself to the Windows system folder
as Hnksvc32.exe and creates the following registry entries to run itself
on logon or startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Hekio Startups
Hnksvc32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Hekio Startups
Hnksvc32.exe
Each time the Trojan is run it attempts to connect to a remote IRC
server and join a specific channel.
The Trojan then runs continuously in the background, allowing a remote
intruder to access and control the computer via IRC channels.
The Trojan attempts to terminate and disable various anti-virus and
security-related programs and modifies the HOSTS file located at
<Windows>\System32\Drivers\etc\HOSTS, mapping selected anti-virus
websites to the loopback address 127.0.0.1 in an attempt to prevent
access to these sites.
127.0.0.1 avp.com
127.0.0.1 ca.com
127.0.0.1 customer.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 sophos.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 networkassociates.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 www.nai.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.networkassociates.com
127.0.0.1 www.viruslist.com
127.0.0.1 www.f-secure.com
127.0.0.1 www.ca.com
127.0.0.1 www.my-etrust.com
Name W32/MyDoom-BD
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Sends itself to email addresses found on the infected computer
* Modifies data on the computer
* Drops more malware
* Forges the sender's email address
Aliases
* Email-Worm.Win32.Mydoom.am
* W32/Mydoom.bd@MM
* WORM_MYDOOM.BD
Prevalence (1-5) 2
Description
W32/MyDoom-BD is an email worm for the Windows platform.
Advanced
W32/MyDoom-BD is an email worm. When first run, the worm copies itself
to either the Windows or Temp folders as java.exe, and adds one of the
following registry entries to ensure that the copy is run each time
Windows starts:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\JavaVM
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\JavaVM
W32/MyDoom-BD also creates a file named services.exe in the Windows or
Temp folder and runs the file. Services.exe is a backdoor component
detected by Sophos as W32/MyDoom-O.
W32/MyDoom-BD searches the hard disk email addresses. The worm searches
files with the extensions PL*, PH*, TX*, HT*, ASP, TBB, SHT*, WAB, ADB
and DBX and the Windows address book. In addition the worm may use an
internet search engine to find more email addresses. The worm will send
a query to the search engine using domain names from email addresses
found on the hard disk and then examine the query results, searching for
more addresses. The internet search engines used by W32/MyDoom-BD and
the percentage chance that each is used are:
www.google.com (45%)
search.lycos.com (22.5%)
search.yahoo.com (20%)
www.altavista.com (12.5%)
When choosing addresses to send itself to W32/MyDoom-BD will avoid
addresses which contain any of the following strings:
mailer-d
spam
abuse
master
sample
accoun
privacycertific
bugs
listserv
submit
ntivi
support
admin
page
the.bat
gold-certs
ca
feste
not
help
foo
no
soft
site
rating
me
you
your
someone
anyone
nothing
nobody
noone
info
winrar
winzip
rarsoft
sf.net
sourceforge
ripe.
arin.
google
gnu.
gmail
seclist
secur
bar.
foo.com
trend
update
uslis
domain
example
sophos
yahoo
spersk
panda
hotmail
msn.
msdn.
microsoft
sarc.
syma
avp
The email sent by the worm has a spoofed sender.
The subject line may be blank or one of the following:
hello
hi
error
status
test
report
delivery failed
Message could not be delivered
Mail System Error - Returned Mail
Delivery reports about your e-mail
Returned mail: see transcript for details
Returned mail: Data format error
The message text of the email is constructed from a set of optional
strings within the worm. The message sent is blank or similar to one of
the following messages:
Dear user of <domain>
Mail server administrator of <domain> would like to inform you that
We have detected that your e-mail account has been used to send a large
amount of unsolicited e-mail messages during this recent week.
We suspect that your computer had been compromised by a recent virus and now
runs a trojan proxy server.
Please follow our instructions in the attachment file
in order to keep your computer safe.
Virtually yours
<domain> user support team.
The message could not be delivered
The original message was included as attachment
The original message was received at <time> from <address>
----- The following addresses had permanent fatal errors -----
<address>
----- Transcript of the session follows -----
... while talking to host <hostname>:
<<< MAIL From:<address>
<<< 501 User unknown
Session aborted
>>> RCPT To:<address>
<<< 550 MAILBOX NOT FOUND
The message was undeliverable due to the following reason(s):
Your message was not delivered because the destination computer was
not reachable within the allowed queue period. The amount of time
a message is queued before it is returned depends on local configura-
tion parameters.
Most likely there is a network problem that prevented delivery, but
it is also possible that the computer is turned off, or does not
have a mail system running right now.
Your message was not delivered within <number> days:
Mail server <hostname> is not responding.
The following recipients did not receive this message:
<address>
Please reply to postmaster@<domain>
if you feel this message to be in error.
The attached file may be named similarly to the recipient's username or
domain or using one of the following names:
readme
instruction
transcript
mail
letter
file
text
attachment
document
message
with an optional extension of DOC, TXT, HTM, HTML and a final extension
of EXE, COM, BAT, CMD, SCR or PIF. The attached file may also be a zip
file containing a file named as described.
Name W32/Sdranck-A
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Drops more malware
Aliases
* Trojan-Proxy.Win32.Ranky.bc
* INFECTED
* W32/Sdbot.worm.gen
Prevalence (1-5) 2
Description
W32/Sdranck-A is a multi-component network worm that uses a member of
the W32/Sdbot family to spread. W32/Sdranck-A also drops a member of the
Troj/Ranck family of proxy Trojans.
Advanced
W32/Sdranck-A is a multi-component network worm.
W32/Sdranck-A drops two files to the winnt\system32 folder, DAQUWU32.EXE
and G58S2A1.EXE. DAQUWU32.EXE is a member of the Troj/Ranck family of
proxy Trojans and G58S2A1.EXE is a member of the W32/Sdbot family of
network worms, and it is this latter file that spreads W32/Sdranck-A to
network shares with weak passwords and via network security exploits.
Name W32/Domwis-G
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Modifies data on the computer
* Deletes files off the computer
* Steals information
Aliases
* Backdoor.Win32.Wisdoor.k
Prevalence (1-5) 2
Description
W32/Domwis-G is a network worm with backdoor functionality for the
Windows platform that allows a malicious user remote access to an
infected computer.
W32/Domwis-G can delete, download and execute remote files on the
infected computer. The backdoor component can be used to send files to
other IRC users.
The backdoor component can be used to flood other computers with
internet traffic. To evade detection, the worm can spoof the IP address
of the infected computer.
The backdoor component of W32/Domwis-G can steal system information, log
keystrokes, create screen and webcam captures and send them to a remote
user.
The backdoor component can also be used to scan other computers for open
ports and for vulnerabilities in web and database servers.
Advanced
W32/Domwis-G is a network worm with backdoor functionality for the
Windows platform that allows a malicious user remote access to an
infected computer.
When first run, the worm copies itself to the Windows folder as a hidden
file named SYSCFG16.EXE.
In order to run automatically each time Windows is started the worm sets
the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Windows System Configuration
<Windows system folder>\SYSCFG16.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Windows DLL Loader
<Windows system folder>\SYSCFG16.EXE
W32/Domwis-G can delete, download and execute remote files on the
infected computer. The backdoor component can be used to send files to
other IRC users.
The backdoor component can be used to flood other computers with
internet traffic. To evade detection, the worm can spoof the IP address
of the infected computer.
The backdoor component of W32/Domwis-G can steal system information, log
keystrokes, create screen and webcam captures and send them to a remote
user.
The backdoor component can also be used to scan other computers for open
ports and for vulnerabilities in web and database servers.
Name W32/Sdbot-VL
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Drops more malware
* Downloads code from the internet
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Prevalence (1-5) 2
Description
W32/Sdbot-VL is a worm with backdoor functionality.
W32/Sdbot-VL may spread to remote network shares with weak passwords.
W32/Sdbot-VL connects to a predetermined IRC channel and runs in the
background listening for backdoor commands.
W32/Sdbot-VL contains functionality to participate in denial of service
attacks and download and run further code.
W32/Sdbot-VL may spread as an archive file that also drops the proxy
Trojan Troj/Ranck-CC.
Advanced
Summary Description Recovery Advanced
This section is for technical experts who want to know more.
W32/Sdbot-VL is a worm with backdoor functionality.
W32/Sdbot-VL may spread to remote network shares with weak passwords.
W32/Sdbot-VL connects to a predetermined IRC channel and runs in the
background listening for backdoor commands.
W32/Sdbot-VL contains functionality to participate in denial of service
attacks and download and run further code.
W32/Sdbot-VL may spread as an archive file KERENEBO.EXE, which also
drops the proxy Trojan Troj/Ranck-CC.
W32/Sdbot-VL copies itself to the Windows system folder as UWANAH.EXE
and creates the following registry entries in order to run itself on
system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
uwanah
uwanah.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
uwanah
uwanah.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
uwanah
uwanah.exe
Name W32/Bropia-P
Type
* Worm
How it spreads
* Chat programs
Affected operating systems
* Windows
Side effects
* Drops more malware
* Leaves non-infected files on computer
Aliases
* WORM_BROPIA.S
* W32/Bropia.worm.q
Prevalence (1-5) 2
Description
W32/Bropia-P is a worm for the Windows platform.
The worm monitors the status of MSN Messenger and sends a copy of itself
to Messenger contacts.
W32/Bropia-P drops a file to the Windows system folder named winis.exe
which is detected by Sophos's anti-virus products as W32/Rbot-WI.
Advanced
W32/Bropia-P is a worm for the Windows platform.
When first run, the W32/Bropia-P worm displays a pornographic image of a
young woman. The image appears to be of the same woman as displayed by
the W32/Bropia-O worm. The worm can also copy itself to the root folder
as exe.exe.
The image displayed by the W32/Bropia-P worm
The image displayed by the W32/Bropia-P worm.
The worm monitors the status of MSN Messenger and sends a copy of itself
to Messenger contacts.
W32/Bropia-P will also set the following registy entries:
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\ControlSet001\Control\Lsa
restrictanonymous
1
W32/Bropia-P drops a file to the Windows system folder named winis.exe
which is detected by Sophos's anti-virus products as W32/Rbot-WI.
Name W32/MyDoom-BE
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Sends itself to email addresses found on the infected computer
* Drops more malware
* Forges the sender's email address
* Uses its own emailing engine
* Downloads code from the internet
Prevalence (1-5) 2
Description
W32/MyDoom-BE is a mass-mailing worm.
W32/MyDoom-BE also creates a file named services.exe in the Windows or
Temp folder and runs the file. Services.exe is detected by Sophos as
W32/MyDoom-O.
W32/MyDoom-BE searches the local Windows Address Book, temporary
internet files and all fixed disks for email addresses. In addition the
worm may use the internet search engines to find more email addresses.
W32/MyDoom-BE also attempts to download and run files from several
websites.
Advanced
W32/MyDoom-BE is a mass-mailing worm.
When first run, the worm copies itself to either the Windows or Temp
folder as java.exe, and adds one of the following registry entries to
ensure that the copy is run each time Windows starts:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\JavaVM
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\JavaVM
W32/MyDoom-BE also creates a file named services.exe in the Windows or
Temp folder and runs the file. Services.exe is detected by Sophos as
W32/MyDoom-O.
W32/MyDoom-BE searches the local Windows Address Book, temporary
internet files and all fixed disks for email addresses. In addition the
worm may use the following internet search engines to find more email
addresses.
www.google.com
search.lycos.com
search.yahoo.com
www.altavista.com
When choosing addresses to send itself to W32/MyDoom-BE will avoid
addresses which contain any of the following strings:
abuse
accoun
admin
anyone
arin.
avp
bar.
bugs
ca
domain
example
feste
foo
foo.com
gmail
gnu.
gold-certs
google
help
hotmail
info
listserv
mailer-d
master
me
microsoft
msdn.
msn.
no
nobody
noone
not
nothing
ntivi
page
panda
privacycertific
rarsoft
rating
ripe.
sample
sarc.
seclist
secur
sf.net
site
soft
someone
sophos
sourceforge
spam
spersk
submit
support
syma
the.bat
trend
update
uslis
winrar
winzip
yahoo
you
your
The email sent by the worm has a spoofed sender.
Subject line may be blank or one of the following:
hello
hi
error
status
test
report
delivery failed
Message could not be delivered
Mail System Error - Returned Mail
Delivery reports about your e-mail
Returned mail: see transcript for details
Returned mail: Data format error
Message text of the email is constructed from a set of optional strings
within the worm. The message sent is blank or similar to one of the
following messages:
Dear user of <domain>
Mail server administrator of <domain> would like to inform you that We
have detected that your e-mail account has been used to send a large
amount of unsolicited e-mail messages during this recent week. We
suspect that your computer had been compromised by a recent virus and
now runs a trojan proxy server.
Please follow our instructions in the attachment file in order to keep
your computer safe.
Virtually yours
<domain> user support team.
The message could not be delivered
The original message was included as attachment
The original message was received at <time> from <address>
----- The following addresses had permanent fatal errors -----
<address>
----- Transcript of the session follows -----
... while talking to host <hostname>:
>>> MAIL From:<address>
<<< 501 User unknown
Session aborted
>>> RCPT To:<address>
<<< 550 MAILBOX NOT FOUND
The message was undeliverable due to the following reason(s):
Your message was not delivered because the destination computer was not
reachable within the allowed queue period. The amount of time a message
is queued before it is returned depends on local configura-tion
parameters.
Most likely there is a network problem that prevented delivery, but it
is also possible that the computer is turned off, or does not have a
mail system running right now.
Your message was not delivered within <number> days:
Mail server is not responding. The following recipients did not receive
this message:
<address>
Please reply to postmaster@<domain>
if you feel this message to be in error.
Attached file may be named similarly to the recipient's username or
domain or using one of the following names:
attachment
document
file
instruction
letter
mail
message
readme
text
transcript
with an optional extension of DOC, TXT, HTM, HTML followed by a number
of spaces and a final extension of EXE, COM, BAT, CMD, SCR or PIF. The
attached file may also be a zip file containing a file named as
described.
W32/MyDoom-BE also attempts to download and run files from several
websites.
Name W32/Forbot-EG
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Modifies data on the computer
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
Aliases
* Backdoor.Win32.PdPinch.gen
Prevalence (1-5) 2
Description
W32/Forbot-EG is a network worm which also contains IRC backdoor Trojan
functionality, allowing unauthorised remote access to the infected
computer.
Advanced
W32/Forbot-EG is a worm which attempts to spread to remote network
shares. It also contains backdoor Trojan functionality, allowing
unauthorised remote access to the infected computer via IRC channels
while running in the background as a service process.
W32/Forbot-EG copies itself to the Windows system folder as SNAPPLE.EXE
and attempts to create a service with a Service Name and Display Name of
"snapple" set to run the copy on system startup.
W32/Forbot-EG also sets the following registry entries so as to run
itself on system startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
snapple =
"snapple.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
snapple =
"snapple.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\
snapple =
"snapple.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
snapple =
"snapple.exe"
W32/Forbot-EG spreads to network shares with weak passwords and via
network security exploits as a result of the backdoor Trojan element
receiving the appropriate command from a remote user.
W32/Forbot-EG may attempt to sets the following registry entries:
HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM = "N"
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous = "1"
W32/Forbot-EG may attempt to delete network shares on the host computer.
Name W32/Sober-K
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Sends itself to email addresses found on the infected computer
* Uses its own emailing engine
* Installs itself in the Registry
* Leaves non-infected files on computer
Aliases
* Email-Worm.VBS.Sober.k
* W32/Sober.M@mm
* WORM_SOBER.GEN
Prevalence (1-5) 2
Description
W32/Sober-K is a mass-mailing worm which sends itself to addresses
harvested from the infected computer.
When first run, W32/Sober-K will open Notepad and display a body of text
that starts:
Text#674327:
------------
--------------------- %WinZip CodeText Modul% is missing ------------------
W32/Sober-K will arrive by email as a ZIP attachment containing an
executable file with a double extension. For example,
doc_data-text.txt<SPACES>.pif
Subject lines include the following:
You visit illegal websites
Ihr Passwort wurde geaendert
Message body texts include the following:
Dear Sir/Madam,
we have logged your IP-address on more than 40 illegal Websites.
Important: Please answer our questions!
The list of questions are attached.
Yours faithfully,
M. John Stellford
--
## Diese E-Mail wurde automatisch generiert
## Aus Gruenden der Sicherheit, bekommen Sie diese E-Mail
## wenn Ihr aktuelles Benutzer- Passwort veraendert wurde
Ihr neues Passwort und weiter Informationen befinden sich im
beigefuegten Dokument.
Advanced
W32/Sober-K is a mass-mailing worm which sends itself to addresses
harvested from the infected computer.
When first run, W32/Sober-K will open Notepad and display a body of text
that starts:
Text#674327:
------------
--------------------- %WinZip CodeText Modul% is missing ------------------
W32/Sober-K will copy itself to a folder named %WINDOWS%\MSAGENT\WIN32
with the filenames CSRSS.EXE, SMSS.EXE and WINLOGON.EXE. In order to run
automatically each time a user logs on, W32/Sober-K will continually set
the following registry entries:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
winsystem.sys
%WINDOWS%\msagent\win32\smss.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
_winsystem.sys
%WINDOWS%\msagent\win32\smss.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
winsystem.sys
%WINDOWS%\msagent\win32\smss.exe %1
W32/Sober-K also creates the following files:
%WINDOWS%\msagent\win32\datamx<number>.dat
%WINDOWS%\msagent\win32\zipedso<number>.ber
%WINDOWS%\msagent\win32\GoTo<number>.dat
%WINDOWS%\msagent\win32\runnowso.ber
%SYSTEM%\read.me
%SYSTEM%\nonrunso.ber
%SYSTEM%\stopruns.zhz
The READ.ME file contains the following text:
Ist eine weitere Test-Version. Läuft nur ein paar Tage!
In diesem Sinne:
Odin alias Anon
W32/Sober-K will attempt to terminate processes containing the following
strings:
gcas, gcip, giantanti, msssrt
W32/Sober-K harvests email addresses from files with the following
strings in their filenames:
pmr phtm stm slk inbox imb csv bak imh xhtml imm imh cms nws vcf ctl
dhtm cgi pp ppt msg jsp oft vbs uin ldb abc pst cfg mdw mbx mdx mda adp
nab fdb vap dsp ade sln dsw mde frm bas adr cls ini ldif log mdb xml wsh
tbb abx abd adb pl rtf mmf doc ods nch xls nsf txt wab eml hlp mht nfo
php asp shtml dbx aero com coop edu gov museum name int net org pro info
Emails will have the following characteristics:
Subject Lines include the following:
You visit illegal websites
Your new Password
Mail_delivery_failed
Paris Hilton, pure!
Alert! New Sober Worm!
Ihr Passwort wurde geaendert
Ihr neues Passwort
EMail-Empfang fehlgeschlagen
Paris Hilton Nackt!
Paris Hilton SexVideos
Seitensprung gesucht?
Vorsicht! Neuer Sober Wurm!
Message body texts include the following:
Dear Sir/Madam,
we have logged your IP-address on more than 40 illegal Websites.
Important: Please answer our questions!
The list of questions are attached.
Yours faithfully,
M. John Stellford
--
More than 50 <WORD> Hilton Videos
More than 3000 Hilton picks
FREE Download until April, 2005
Make your own Download Account, it's free!
Further details are attached
Thanks & have fun ;)
--
Antivirus vendors are warning of a new variant of the <WORD> Sober virus
discovered today that can delete the hard disk.
Download and read the zipped patch. It's very easy to install!
Thanks for your cooperation!
--
## Diese E-Mail wurde automatisch generiert
## Aus Gruenden der Sicherheit, bekommen Sie diese E-Mail
## wenn Ihr aktuelles Benutzer- Passwort veraendert wurde
Ihr neues Passwort und weiter Informationen befinden sich im
beigefuegten Dokument.
--
- System Mail -
Diese an ihnen gerichtete E-Mail, wurde in einem falschen Format
gesendet.
Der Betreff, Header und Text dieser Mail, wurde deshalb separat in einer
Text-Datei gespeichert und gezippt.
Vielen Dank fuer Ihr Verstaendnis[System auto- mail]
--
Hallo,
wir hoffen das Ihnen die Betreffszeile unsere Mail genug sagt.
Der Jugendschutz verbietet uns leider mehr Auskunft ueber unser Angebot
zu geben.
Informationen,,,, wie Sie sich bei uns anmelden koennen befinden sich im
beigefuegten Dokument. Natuerlich ist die Anmeldung Kostenlos!
Mehr als 2.5 Millionen registrierte Benutzer!!!
Da ist fuer jeden was dabei!
Auf Wiedersehen
--
Vielen Dank, dass Sie sich bei <NAME> registriert haben.
Der Betrag von ,- Euro ist erfolgreich auf unserem Konto eingegangen.
Passwort, Benutzername und weitere wichtige Informationen zu ihrem neuen
Account befinden sich im angehefteten Dokument.
Hochachtungsvoll
Silvia Hochberger
--
Guten Tag,
mehr als 50 Videos,
Mehr als 1000 heisse Fotos
und mehr als 300 original Sounds von der kleinen Hilton ........ .
Alles frei zum Download, aber nur bis zum 01 April 2005 !!!
Weitere Details entnehmen Sie bitte dem vorliegendem Dokument.
Vielen Dank!
--
Wichtige Information!
Eine neue Sober-Variante verbreitet sich derzeit im Internet.
Wie seine Vorgaenger verschickt sich der Wurm von infizierten
Windows-Rechnern per E-Mail an weitere Adressen.
Es wird deshalb empfohlen, das Patch-Tool auszufuehren um sich vor
diesem Wurm zu schuetzen bzw. diesen wieder zu entfernen.
The attached file will have a ZIP extension and includes the following:
Formular.zip
zipped-mail.zip
<DOMAIN>PSW-Text.zip
zipped-text.zip
Register-Info.zip
Tool.zip
text.zip
register.zip
help-text.zip
indictment_cit<NUMBER>.zip
The ZIP file will contain an executable file with a double extension.
For example, doc_data-text.txt<SPACES>.pif
The From address line will be faked, but will start with one of the
following:
Service, Webmaster, Register, Hostmaster, Postmaster, police, Officer,
Admin, Web, FBI, Security
--- MultiMail/Win32 v0.43
* Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)
|