Tillbaka till svenska Fidonet
English   Information   Debug  
TRAPDOOR   0/19
TREK   0/755
TUB   0/290
UFO   0/40
UNIX   0/1316
USA_EURLINK   0/102
USR_MODEMS   0/1
VATICAN   0/2740
VIETNAM_VETS   0/14
VIRUS   0/378
VIRUS_INFO   0/201
VISUAL_BASIC   0/473
WHITEHOUSE   0/5187
WIN2000   0/101
WIN32   0/30
WIN95   0/4289
WIN95_OLD1   0/70272
WINDOWS   0/1517
WWB_SYSOP   0/419
WWB_TECH   0/810
ZCC-PUBLIC   0/1
ZEC   4

 
4DOS   0/134
ABORTION   0/7
ALASKA_CHAT   0/506
ALLFIX_FILE   0/1313
ALLFIX_FILE_OLD1   0/7997
ALT_DOS   0/152
AMATEUR_RADIO   0/1039
AMIGASALE   0/14
AMIGA   0/331
AMIGA_INT   0/1
AMIGA_PROG   0/20
AMIGA_SYSOP   0/26
ANIME   0/15
ARGUS   0/924
ASCII_ART   0/340
ASIAN_LINK   0/651
ASTRONOMY   0/417
AUDIO   0/92
AUTOMOBILE_RACING   0/105
BABYLON5   0/17862
BAG   135
BATPOWER   0/361
BBBS.ENGLISH   0/382
BBSLAW   0/109
BBS_ADS   0/5290
BBS_INTERNET   0/507
BIBLE   0/3563
BINKD   0/1119
BINKLEY   0/215
BLUEWAVE   0/2173
CABLE_MODEMS   0/25
CBM   0/46
CDRECORD   0/66
CDROM   0/20
CLASSIC_COMPUTER   0/378
COMICS   0/15
CONSPRCY   0/899
COOKING   33421
COOKING_OLD1   0/24719
COOKING_OLD2   0/40862
COOKING_OLD3   0/37489
COOKING_OLD4   0/35496
COOKING_OLD5   9370
C_ECHO   0/189
C_PLUSPLUS   0/31
DIRTY_DOZEN   0/201
DOORGAMES   0/2065
DOS_INTERNET   0/196
duplikat   6002
ECHOLIST   0/18295
EC_SUPPORT   0/318
ELECTRONICS   0/359
ELEKTRONIK.GER   1534
ENET.LINGUISTIC   0/13
ENET.POLITICS   0/4
ENET.SOFT   0/11701
ENET.SYSOP   33945
ENET.TALKS   0/32
ENGLISH_TUTOR   0/2000
EVOLUTION   0/1335
FDECHO   0/217
FDN_ANNOUNCE   0/7068
FIDONEWS   24159
FIDONEWS_OLD1   0/49742
FIDONEWS_OLD2   0/35949
FIDONEWS_OLD3   0/30874
FIDONEWS_OLD4   0/37224
FIDO_SYSOP   12852
FIDO_UTIL   0/180
FILEFIND   0/209
FILEGATE   0/212
FILM   0/18
FNEWS_PUBLISH   4436
FN_SYSOP   41707
FN_SYSOP_OLD1   71952
FTP_FIDO   0/2
FTSC_PUBLIC   0/13613
FUNNY   0/4886
GENEALOGY.EUR   0/71
GET_INFO   105
GOLDED   0/408
HAM   0/16074
HOLYSMOKE   0/6791
HOT_SITES   0/1
HTMLEDIT   0/71
HUB203   466
HUB_100   264
HUB_400   39
HUMOR   0/29
IC   0/2851
INTERNET   0/424
INTERUSER   0/3
IP_CONNECT   719
JAMNNTPD   0/233
JAMTLAND   0/47
KATTY_KORNER   0/41
LAN   0/16
LINUX-USER   0/19
LINUXHELP   0/1155
LINUX   0/22112
LINUX_BBS   0/957
mail   18.68
mail_fore_ok   249
MENSA   0/341
MODERATOR   0/102
MONTE   0/992
MOSCOW_OKLAHOMA   0/1245
MUFFIN   0/783
MUSIC   0/321
N203_STAT   930
N203_SYSCHAT   313
NET203   321
NET204   69
NET_DEV   0/10
NORD.ADMIN   0/101
NORD.CHAT   0/2572
NORD.FIDONET   189
NORD.HARDWARE   0/28
NORD.KULTUR   0/114
NORD.PROG   0/32
NORD.SOFTWARE   0/88
NORD.TEKNIK   0/58
NORD   0/453
OCCULT_CHAT   0/93
OS2BBS   0/787
OS2DOSBBS   0/580
OS2HW   0/42
OS2INET   0/37
OS2LAN   0/134
OS2PROG   0/36
OS2REXX   0/113
OS2USER-L   207
OS2   0/4786
OSDEBATE   0/18996
PASCAL   0/490
PERL   0/457
PHP   0/45
POINTS   0/405
POLITICS   0/29554
POL_INC   0/14731
PSION   103
R20_ADMIN   1123
R20_AMATORRADIO   0/2
R20_BEST_OF_FIDONET   13
R20_CHAT   0/893
R20_DEPP   0/3
R20_DEV   399
R20_ECHO2   1379
R20_ECHOPRES   0/35
R20_ESTAT   0/719
R20_FIDONETPROG...
...RAM.MYPOINT
  0/2
R20_FIDONETPROGRAM   0/22
R20_FIDONET   0/248
R20_FILEFIND   0/24
R20_FILEFOUND   0/22
R20_HIFI   0/3
R20_INFO2   3249
R20_INTERNET   0/12940
R20_INTRESSE   0/60
R20_INTR_KOM   0/99
R20_KANDIDAT.CHAT   42
R20_KANDIDAT   28
R20_KOM_DEV   112
R20_KONTROLL   0/13300
R20_KORSET   0/18
R20_LOKALTRAFIK   0/24
R20_MODERATOR   0/1852
R20_NC   76
R20_NET200   245
R20_NETWORK.OTH...
...ERNETS
  0/13
R20_OPERATIVSYS...
...TEM.LINUX
  0/44
R20_PROGRAMVAROR   0/1
R20_REC2NEC   534
R20_SFOSM   0/341
R20_SF   0/108
R20_SPRAK.ENGLISH   0/1
R20_SQUISH   107
R20_TEST   2
R20_WORST_OF_FIDONET   12
RAR   0/9
RA_MULTI   106
RA_UTIL   0/162
REGCON.EUR   0/2056
REGCON   0/13
SCIENCE   0/1206
SF   0/239
SHAREWARE_SUPPORT   0/5146
SHAREWRE   0/14
SIMPSONS   0/169
STATS_OLD1   0/2539.065
STATS_OLD2   0/2530
STATS_OLD3   0/2395.095
STATS_OLD4   0/1692.25
SURVIVOR   0/495
SYSOPS_CORNER   0/3
SYSOP   0/84
TAGLINES   0/112
TEAMOS2   0/4530
TECH   0/2617
TEST.444   0/105
Möte VIRUS, 378 texter
 lista första sista föregående nästa
Text 111, 1920 rader
Skriven 2005-04-10 17:42:00 av KURT WISMER (1:123/140)
Ärende: News, April 10 2005
===========================
[cut-n-paste from sophos.com]

Name   W32/Mytob-R

Type  
    * Worm

How it spreads  
    * Email attachments
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Sends itself to email addresses found on the infected computer
    * Modifies data on the computer
    * Drops more malware
    * Forges the sender's email address
    * Uses its own emailing engine

Aliases  
    * WORM_MYTOB.X
    * Net-Worm.Win32.Mytob.p
    * Net-Worm.Win32.Mytob.q
    * Worm.Mytob.H-3

Prevalence (1-5) 3

Description
W32/Mytob-R is a mass-mailing worm and backdoor Trojan that targets 
users of Internet Relay Chat programs.

W32/Mytob-R is capable of spreading through various operating system 
vulnerabilities such as LSASS (MS04-011).

W32/Mytob-R also drops a file C:\hellmsn.exe. This file is being 
detected by Sophos as W32/Mytob-D.

Advanced
W32/Mytob-R is a mass-mailing worm and backdoor Trojan that targets 
users of Internet Relay Chat programs.

W32/Mytob-R is capable of spreading through various operating system 
vulnerabilities such as LSASS (MS04-011).

When first run, W32/Mytob-R copies itself to the Windows system folder 
as taskgmr.exe, bingoo.exe and nethell.exe and creates the following 
registry entries:

HKCU\SYSTEM\CurrentControlSet\Control\Lsa
WINTASK
taskgmr.exe

HKCU\Software\Microsoft\OLE
WINTASK
taskgmr.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
WINTASK
taskgmr.exe

HKLM\SOFTWARE\Microsoft\Ole
WINTASK
taskgmr.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
WINTASK
taskgmr.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WINTASK
taskgmr.exe

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
WINTASK
taskgmr.exe

W32/Mytob-R copies itself to the drive C root folder as:

my_photo2005.scr
see_this!!.scr
funny_pic.scr

The worm also appends the following to the HOSTS file to deny access to 
security-related websites:

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.trendmicro.com

Emails sent by W32/Mytob-R have the following characteristics:

Subject line:

Error
Status
Server Report
Mail Transaction Failed
Mail Delivery System
hello
thanks!
read it immediately
<random>

Message text:

Here are your banks documents.

Mail transaction failed. Partial message is available.

The message contains Unicode characters and has been sent as a binary 
attachment.

The message cannot be represented in 7-bit ASCII encoding and has been 
sent as a binary attachment

The original message was included as an attachment.

Here are your banks documents.

The attached file consists of a base name followed by the extentions BAT, 
CMD, PIF, SCR, EXE or ZIP. The worm may optionally create double 
extensions where the first extension is DOC, TXT or HTM and the final 
extension is PIF, SCR, EXE or ZIP.

W32/Mytob-R harvests email addresses from files on the infected computer 
and from the Windows address book.

The worm also drops a batch file %SYSTEM%\2pac.txt. This file can be 
safely deleted.

W32/Mytob-R also drops a file C:\hellmsn.exe. This file is being 
detected by Sophos as W32/Mytob-D.





Name   W32/Mytob-Q

Type  
    * Worm

How it spreads  
    * Email attachments
    * Chat programs

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Allows others to access the computer
    * Modifies data on the computer
    * Steals information
    * Drops more malware

Aliases  
    * WORM_MYTOB.Q

Prevalence (1-5) 2
Description
W32/Mytob-Q is a mass-mailing worm and backdoor Trojan that targets 
users of Internet Relay Chat programs.

W32/Mytob-Q is capable of spreading through email and through various 
operating system vulnerabilities such as LSASS (MS04-011).

W32/Mytob-Q harvests email addresses from files on the infected computer 
and from the Windows address book.

Advanced
W32/Mytob-Q is a mass-mailing worm and backdoor Trojan that targets 
users of Internet Relay Chat programs.

When first run W32/Mytob-Q copies itself to the Windows system folder as 
msnmsgs.exe and creates the following registry entries:

HKCU\System\CurrentControlSet\Control\Lsa
MSN MESSENGER
msnmsgs.exe

HKCU\Software\Microsoft\OLE
MSN MESSENGER
msnmsgs.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MSN MESSENGER
msnmsgs.exe

HKLM\Software\Microsoft\Ole
MSN MESSENGER
msnmsgs.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
MSN MESSENGER
msnmsgs.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
MSN MESSENGER
msnmsgs.exe

HKLM\System\CurrentControlSet\Control\Lsa
MSN MESSENGER
msnmsgs.exe

W32/Mytob-Q copies itself to the root folder as:

funny pic.scr
photo album.scr
eminem vs 2pac.scr

and creates the helper file hellmsn.exe (detected by Sophos as 
W32/Mytob-H) in the same location.

W32/Mytob-Q also appends the following to the HOSTS file to deny access 
to security related websites:

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.trendmicro.com

W32/Mytob-Q is capable of spreading through email and through various 
operating system vulnerabilities such as LSASS (MS04-011). Email sent by 
W32/Mytob-Q has the following properties:

Subject line:

Hello
thanks!
read it immediately

Message text:

This is a multi-part message in MIME format

Mail transaction failed. Partial message is available.

The message contains Unicode characters and has been sent as a binary 
attachment.

The message cannot be represented in 7-bit ASCII encoding and has been 
sent as a binary attachment.

The original message was included as an attachment.

I have received your document. The corrected document is attached.

The attached file consists of a base name followed by the extentions 
PIF, SCR, EXE or ZIP. The worm may optionally create double extensions 
where the first extension is DOC, TXT or HTM and the final extension is 
PIF, SCR, EXE or ZIP.

W32/Mytob-Q harvests email addresses from files on the infected computer 
and from the Windows address book.





Name   W32/Rbot-ZQ

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Allows others to access the computer
    * Modifies data on the computer
    * Steals information
    * Downloads code from the internet

Aliases  
    * Backdoor.Win32.Rbot.gen

Prevalence (1-5) 2

Description
W32/Rbot-ZQ is an IRC backdoor and network worm.

W32/Rbot-ZQ may spread to remote network shares protected by weak 
passwords and computers vulnerable to common exploits. The worm also 
opens up a backdoor, allowing unauthorised remote access to infected 
computers via the IRC network, while running in the background as a 
service process. The worm exploits the following vulnerabilities: 
RPC-DCOM (MS04-12), LSASS (MS04-11) and WKS (MS03-049). For patches for 
these vulnerabilities, see:

http://www.microsoft.com/technet/security/bulletin/MS03-049.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx

W32/Rbot-ZQ can receive commands from a remote intruder to delete 
network shares, log keypresses, participate in DDoS attacks, scan other 
computers for vulnerabilities, steal passwords, steal registration keys 
for computer games, create administrator accounts, terminate firewall 
and anti-virus processes and capture video from webcameras attached to 
the computer.

The worm creates numerous registry entries in order to alter system 
security.

Advanced
W32/Rbot-ZQ is an IRC backdoor and network worm.

W32/Rbot-ZQ may spread to remote network shares protected by weak 
passwords and computers vulnerable to common exploits. The worm also 
opens up a backdoor, allowing unauthorised remote access to infected 
computers via the IRC network, while running in the background as a 
service process. The worm exploits the following vulnerabilities: 
RPC-DCOM (MS04-12), LSASS (MS04-11) and WKS (MS03-049). For patches for 
these vulnerabilities, see:

http://www.microsoft.com/technet/security/bulletin/MS03-049.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx

W32/Rbot-ZQ can receive commands from a remote intruder to delete 
network shares, log keypresses, participate in DDoS attacks, scan other 
computers for vulnerabilities, steal passwords, steal registration keys 
for computer games, create administrator accounts, terminate firewall 
and anti-virus processes and capture video from webcameras attached to 
the computer.

W32/Rbot-ZQ copies itself to the Windows system folder with a random 
filename and creates the following registry entries in order to alter 
system security:

HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
Start =
4

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM =
"N"

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start =
4

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous =
1

HKLM\SYSTEM\CurrentControlSet\Services\NetBT\Parameters
TransportBindName =
""

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MaxConnectionsPer1_0Server =
50

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MaxConnectionsPerServer =
50

HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareWks =
0

HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareServer =
0

The worm also creates a number of new registry entries under

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters





Name   W32/Sdbot-WS

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Steals information
    * Reduces system security
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Aliases  
    * Trojan.SdBot-447
    * W32/Sdbot.worm.gen.y

Prevalence (1-5) 2

Description
W32/Sdbot-WS is a member of the W32/Sdbot family of network worms. The 
worm can spread to weakly protected network shares, and to computers 
already infected with W32/MyDoom.

The worm has a backdoor component that connects to a preconfigured IRC 
mchannel, allowing an attacker to issue instructions to the worm, thus 
giving access to an infected computer.

W32/Sdbot-WS can be instructed to harvest product keys; scan for remote 
computers to infect; upload, download and execute files; as well as 
retrieve information about an infected system.

Advanced
W32/Sdbot-WS is a member of the W32/Sdbot family of network worms. The 
worm can spread to weakly protected network shares, and to computers 
already infected with W32/MyDoom.

In order to run automatically when Windows starts up the worm copies 
itself to the <System> folder as winupdate.exe and creates the following 
registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Update
winupdate.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Windows Update
winupdate.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Update
winupdate.exe

Once installed, W32/Sdbot-WS connects to a preconfigured IRC server and 
joins a channel from which an attacker can issue further commands. These 
commands can cause the infected computer to perform any of the following 
actions:

Scan for remote computers to infect
Steal product keys
Upload, download and execute files
Retrieve information about an infected system

The worm can be instructed to secure an infected computer, and does this 
by attempting to delete the C$, D$, IPC$ and ADMIN$ network shares, and 
disable DCOM by setting the following registry entry:

HKLM\Software\Microsoft\OLE
EnableDCOM
N





Name   Troj/StartPa-FM

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Modifies data on the computer

Aliases  
    * Trojan.Win32.StartPage.sr
    * Trojan.Startpage-220

Prevalence (1-5) 2

Description
Troj/StartPa-FM is a Windows Trojan which changes the default Internet 
settings.

When run the Trojan quietly changes the default Internet Explorer Start 
Page and the Internet zone settings.

Troj/StartPa-FM also drops a file ~D2.TMP in the %TEMP% folder and runs 
it. This file is a key generator application and is not malicious.





Name   W32/Rbot-ZN

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Allows others to access the computer
    * Modifies data on the computer
    * Deletes files off the computer
    * Steals information

Aliases  
    * Backdoor.Win32.Rbot.gen

Prevalence (1-5) 2

Description
W32/Rbot-ZN is a worm with backdoor Trojan functionality.

W32/Rbot-ZN is capable of spreading to computers on the local network 
protected by weak passwords after receiving the appropriate backdoor 
command. The worm can also spread by exploiting a number of software 
vulnerabilities.

Advanced
W32/Rbot-ZN is a worm with backdoor Trojan functionality.

W32/Rbot-ZN is capable of spreading to computers on the local network 
protected by weak passwords after receiving the appropriate backdoor 
command.

W32/Rbot-ZN will attempt to spread by exploiting the following 
vulnerabilities:

DCOM (MS04-012)
LSASS and IIS5SSL (MS04-011)
Microsoft SQL servers with weak passwords

When first run, W32/Rbot-ZN moves itself to the Windows system folder as 
INIT3.EXE. In order to run automatically each time a user logs in, 
W32/Rbot-ZN will set the following registry entries:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Unix File Support
init3.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
Unix File Support
init3.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Unix File Support
init3.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Unix File Support
init3.exe

W32/Rbot-ZN will also set the following registry entries:

HKCU\Software\Microsoft\OLE
Unix File Support
init3.exe

HKCU\SYSTEM\CurrentControlSet\Control\Lsa
Unix File Support
init3.exe

The worm runs continuously in the background, providing backdoor access 
to the infected computer over IRC channels.

W32/Rbot-ZN will modify the following registry entries in order to 
disable DCOM and close restrictions on IPC$ shares:

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1

W32/Rbot-ZN will attempt to terminate the following processes:

_AVP32.EXE, _AVPCC.EXE, _AVPM.EXE, ACKWIN32.EXE, ADAWARE.EXE, 
ADVXDWIN.EXE, AGENTSVR.EXE, AGENTW.EXE, ALERTSVC.EXE, ALEVIR.EXE, 
ALOGSERV.EXE, AMON9X.EXE, ANTI-TROJAN.EXE, ANTIVIRUS.EXE, ANTS.EXE, 
APIMONITOR.EXE, APLICA32.EXE, APVXDWIN.EXE, ARR.EXE, ATCON.EXE, 
ATGUARD.EXE, ATRO55EN.EXE, ATUPDATER.EXE, ATWATCH.EXE, AU.EXE, 
AUPDATE.EXE, AUTO-PROTECT.NAV80TRY.EXE, AUTODOWN.EXE, AUTOTRACE.EXE, 
AUTOUPDATE.EXE, AVCONSOL.EXE, AVE32.EXE, AVGCC32.EXE, AVGCTRL.EXE, 
AVGNT.EXE, AVGSERV.EXE, AVGSERV9.EXE, AVGUARD.EXE, AVGW.EXE, AVKPOP.EXE, 
AVKSERV.EXE, AVKSERVICE.EXE, AVKWCTl9.EXE, AVLTMAIN.EXE, AVNT.EXE, 
AVP.EXE, AVP32.EXE, AVPCC.EXE, AVPDOS32.EXE, AVPM.EXE, AVPTC32.EXE, 
AVPUPD.EXE, AVSCHED32.EXE, AVSYNMGR.EXE, AVWIN95.EXE, AVWINNT.EXE, 
AVWUPD.EXE, AVWUPD32.EXE, AVWUPSRV.EXE, AVXMONITOR9X.EXE, 
AVXMONITORNT.EXE, AVXQUAR.EXE, BACKWEB.EXE, BARGAINS.EXE, bbeagle.exe, 
BD_PROFESSIONAL.EXE, BEAGLE.EXE, BELT.EXE, BIDEF.EXE, BIDSERVER.EXE, 
BIPCP.EXE, BIPCPEVALSETUP.EXE, BISP.EXE, BLACKD.EXE, BLACKICE.EXE, 
BLSS.EXE, BOOTCONF.EXE, BOOTWARN.EXE, BORG2.EXE, BPC.EXE, BRASIL.EXE, 
BS120.EXE, BUNDLE.EXE, BVT.EXE, CCAPP.EXE, CCEVTMGR.EXE, CCPXYSVC.EXE, 
CDP.EXE, CFD.EXE, CFGWIZ.EXE, CFIADMIN.EXE, CFIAUDIT.EXE, CFINET.EXE, 
CFINET32.EXE, Claw95.EXE, CLAW95CF.EXE, CLEAN.EXE, CLEANER.EXE, 
CLEANER3.EXE, CLEANPC.EXE, CLICK.EXE, CMD32.EXE, CMESYS.EXE, 
CMGRDIAN.EXE, CMON016.EXE, CONNECTIONMONITOR.EXE, CPD.EXE, CPF9X206.EXE, 
CPFNT206.EXE, CTRL.EXE, CV.EXE, CWNB181.EXE, CWNTDWMO.EXE, 
d3dupdate.exe, DATEMANAGER.EXE, DCOMX.EXE, DEFALERT.EXE, DEFSCANGUI.EXE, 
DEFWATCH.EXE, DEPUTY.EXE, DIVX.EXE, DLLCACHE.EXE, DLLREG.EXE, DOORS.EXE, 
DPF.EXE, DPFSETUP.EXE, DPPS2.EXE, DRWATSON.EXE, DRWEB32.EXE, 
DRWEBUPW.EXE, DSSAGENT.EXE, DVP95.EXE, DVP95_0.EXE, ECENGINE.EXE, 
EFPEADM.EXE, EMSW.EXE, ENT.EXE, ESAFE.EXE, ESCANH95.EXE, ESCANHNT.EXE, 
ESCANV95.EXE, ESPWATCH.EXE, ETHEREAL.EXE, ETRUSTCIPE.EXE, EVPN.EXE, 
EXANTIVIRUS-CNET.EXE, EXE.AVXW.EXE, EXPERT.EXE, EXPLORE.EXE, 
F-AGNT95.EXE, F-AGOBOT.EXE, F-PROT.EXE, F-PROT95.EXE, F-STOPW.EXE, 
FAMEH32.EXE, FAST.EXE, FCH32.EXE, FIH32.EXE, FINDVIRU.EXE, FIREWALL.EXE, 
FLOWPROTECTOR.EXE, FNRB32.EXE, FP-WIN.EXE, FP-WIN_TRIAL.EXE, FPROT.EXE, 
FRW.EXE, FSAA.EXE, FSAV.EXE, FSAV32.EXE, FSAV530STBYB.EXE, 
FSAV530WTBYB.EXE, FSAV95.EXE, FSGK32.EXE, FSM32.EXE, FSMA32.EXE, 
FSMB32.EXE, GATOR.EXE, GBMENU.EXE, GBPOLL.EXE, GENERICS.EXE, GMT.EXE, 
GUARD.EXE, GUARDDOG.EXE, HACKTRACERSETUP.EXE, HBINST.EXE, HBSRV.EXE, 
HIJACKTHIS.EXE, HOTACTIO.EXE, HOTPATCH.EXE, HTLOG.EXE, HTPATCH.EXE, 
HWPE.EXE, HXDL.EXE, HXIUL.EXE, i11r54n4.exe, IAMAPP.EXE, IAMSERV.EXE, 
IAMSTATS.EXE, IBMASN.EXE, IBMAVSP.EXE, ICLOAD95.EXE, ICLOADNT.EXE, 
ICMON.EXE, ICSUPP95.EXE, ICSUPPNT.EXE, IDLE.EXE, IEDLL.EXE, 
IEDRIVER.EXE, IEXPLORER.EXE, IFACE.EXE, IFW2000.EXE, INETLNFO.EXE, 
INFUS.EXE, INFWIN.EXE, INIT.EXE, INTDEL.EXE, INTREN.EXE, IOMON98.EXE, 
IPARMOR.EXE, IRIS.EXE, irun4.exe, ISASS.EXE, ISRV95.EXE, ISTSVC.EXE, 
JAMMER.EXE, JDBGMRG.EXE, JEDI.EXE, KAVLITE40ENG.EXE, KAVPERS40ENG.EXE, 
KAVPF.EXE, KAZZA.EXE, KEENVALUE.EXE, KERIO-PF-213-EN-WIN.EXE, 
KERIO-WRL-421-EN-WIN.EXE, KERIO-WRP-421-EN-WIN.EXE, KERNEL32.EXE, 
KILLPROCESSSETUP161.EXE, LAUNCHER.EXE, LDNETMON.EXE, LDPRO.EXE, 
LDPROMENU.EXE, LDSCAN.EXE, LNETINFO.EXE, LOADER.EXE, LOCALNET.EXE, 
LOCKDOWN.EXE, LOCKDOWN2000.EXE, LOOKOUT.EXE, LORDPE.EXE, LSETUP.EXE, 
LUALL.EXE, LUAU.EXE, LUCOMSERVER.EXE, LUINIT.EXE, LUSPT.EXE, 
MAPISVC32.EXE, MCAGENT.EXE, MCMNHDLR.EXE, MCSHIELD.EXE, MCTOOL.EXE, 
MCUPDATE.EXE, MCVSRTE.EXE, MCVSSHLD.EXE, MD.EXE, MFIN32.EXE, MFW2EN.EXE, 
MFWENG3.02D30.EXE, MGAVRTCL.EXE, MGAVRTE.EXE, MGHTML.EXE, MGUI.EXE, 
MINILOG.EXE, MMOD.EXE, MONITOR.EXE, MOOLIVE.EXE, MOSTAT.EXE, 
MPFAGENT.EXE, MPFSERVICE.EXE, MPFTRAY.EXE, MRFLUX.EXE, MSAPP.EXE, 
MSBB.EXE, MSBLAST.EXE, MSCACHE.EXE, MSCCN32.EXE, MSCMAN.EXE, 
MSCONFIG.EXE, mscvb32.exe, MSDM.EXE, MSDOS.EXE, MSIEXEC16.EXE, 
MSINFO32.EXE, MSLAUGH.EXE, MSMGT.EXE, MSMSGRI32.EXE, MSSMMC32.EXE, 
MSSYS.EXE, MSVXD.EXE, MU0311AD.EXE, MWATCH.EXE, N32SCANW.EXE, NAV.EXE, 
NAVAP.NAVAPSVC.EXE, NAVAPSVC.EXE, NAVAPW32.EXE, NAVDX.EXE, 
NAVENGNAVEX15.NAVLU32.EXE, NAVLU32.EXE, NAVNT.EXE, NAVSTUB.EXE, 
NAVW32.EXE, NAVWNT.EXE, NC2000.EXE, NCINST4.EXE, NDD32.EXE, 
NEOMONITOR.EXE, NEOWATCHLOG.EXE, NETARMOR.EXE, NETD32.EXE, NETINFO.EXE, 
NETMON.EXE, NETSCANPRO.EXE, NETSPYHUNTER-1.2.EXE, NETSTAT.EXE, 
NETUTILS.EXE, NISSERV.EXE, NISUM.EXE, NMAIN.EXE, NOD32.EXE, NORMIST.EXE, 
NORTON_INTERNET_SECU_3.0_407.EXE, NOTSTART.EXE, 
NPF40_TW_98_NT_ME_2K.EXE, NPFMESSENGER.EXE, NPROTECT.EXE, NPSCHECK.EXE, 
NPSSVC.EXE, NSCHED32.EXE, NSSYS32.EXE, NSTASK32.EXE, NSUPDATE.EXE, 
NT.EXE, NTRTSCAN.EXE, NTVDM.EXE, NTXconfig.EXE, NUI.EXE, NUPGRADE.EXE, 
NVARCH16.EXE, NVC95.EXE, NVSVC32.EXE, NWINST4.EXE, NWSERVICE.EXE, 
NWTOOL16.EXE, OLLYDBG.EXE, ONSRVR.EXE, OPTIMIZE.EXE, OSTRONET.EXE, 
OTFIX.EXE, OUTPOST.EXE, OUTPOSTINSTALL.EXE, OUTPOSTPROINSTALL.EXE, 
PADMIN.EXE, PandaAVEngine.exe, PANIXK.EXE, PATCH.EXE, PAVCL.EXE, 
PAVPROXY.EXE, PAVSCHED.EXE, PAVW.EXE, PCC2002S902.EXE, 
PCC2K_76_1436.EXE, PCCIOMON.EXE, PCCNTMON.EXE, PCCWIN97.EXE, 
PCCWIN98.EXE, PCDSETUP.EXE, PCFWALLICON.EXE, PCIP10117_0.EXE, 
PCSCAN.EXE, PDSETUP.EXE, PENIS.EXE, Penis32.exe, PERISCOPE.EXE, 
PERSFW.EXE, PERSWF.EXE, PF2.EXE, PFWADMIN.EXE, PGMONITR.EXE, 
PINGSCAN.EXE, PLATIN.EXE, POP3TRAP.EXE, POPROXY.EXE, POPSCAN.EXE, 
PORTDETECTIVE.EXE, PORTMONITOR.EXE, POWERSCAN.EXE, PPINUPDT.EXE, 
PPTBC.EXE, PPVSTOP.EXE, PRIZESURFER.EXE, PRMT.EXE, PRMVR.EXE, 
PROCDUMP.EXE, PROCESSMONITOR.EXE, PROCEXPLORERV1.0.EXE, 
PROGRAMAUDITOR.EXE, PROPORT.EXE, PROTECTX.EXE, PSPF.EXE, PURGE.EXE, 
PUSSY.EXE, PVIEW95.EXE, QCONSOLE.EXE, QSERVER.EXE, RAPAPP.EXE, rate.exe, 
RAV7.EXE, RAV7WIN.EXE, RAV8WIN32ENG.EXE, RAY.EXE, RB32.EXE, RCSYNC.EXE, 
REALMON.EXE, REGED.EXE, REGEDIT.EXE, REGEDT32.EXE, RESCUE.EXE, 
RESCUE32.EXE, RRGUARD.EXE, RSHELL.EXE, RTVSCAN.EXE, RTVSCN95.EXE, 
RULAUNCH.EXE, RUN32DLL.EXE, RUNDLL.EXE, RUNDLL16.EXE, RUXDLL32.EXE, 
SAFEWEB.EXE, SAHAGENT.EXE, SAVE.EXE, SAVENOW.EXE, SBSERV.EXE, SC.EXE, 
SCAM32.EXE, SCAN32.EXE, SCAN95.EXE, SCANPM.EXE, SCRSCAN.EXE, SCRSVR.EXE, 
SCVHOST.EXE, SD.EXE, SERV95.EXE, SERVICE.EXE, SERVLCE.EXE, SERVLCES.EXE, 
SETUP_FLOWPROTECTOR_US.EXE, SETUPVAMEEVAL.EXE, SFC.EXE, SGSSFW32.EXE, 
SH.EXE, SHELLSPYINSTALL.EXE, SHN.EXE, SHOWBEHIND.EXE, SMC.EXE, SMS.EXE, 
SMSS32.EXE, SOAP.EXE, SOFI.EXE, SPERM.EXE, SPF.EXE, SPHINX.EXE, 
SPOLER.EXE, SPOOLCV.EXE, SPOOLSV32.EXE, SPYXX.EXE, SREXE.EXE, SRNG.EXE, 
SS3EDIT.EXE, ssate.exe, SSG_4104.EXE, SSGRATE.EXE, ST2.EXE, START.EXE, 
STCLOADER.EXE, SUPFTRL.EXE, SUPPORT.EXE, SUPPORTER5.EXE, SVC.EXE, 
SVCHOSTC.EXE, SVCHOSTS.EXE, SVSHOST.EXE, SWEEP95.EXE, 
SWEEPNET.SWEEPSRV.SYS.SWNETSUP.EXE, SYMPROXYSVC.EXE, SYMTRAY.EXE, 
SYSEDIT.EXE, sysinfo.exe, SysMonXP.exe, SYSTEM.EXE, SYSTEM32.EXE, 
SYSUPD.EXE, TASKMG.EXE, TASKMO.EXE, TASKMON.EXE, TAUMON.EXE, TBSCAN.EXE, 
TC.EXE, TCA.EXE, TCM.EXE, TDS-3.EXE, TDS2-98.EXE, TDS2-NT.EXE, 
TEEKIDS.EXE, TFAK.EXE, TFAK5.EXE, TGBOB.EXE, TITANIN.EXE, TITANINXP.EXE, 
TRACERT.EXE, TRICKLER.EXE, TRJSCAN.EXE, TRJSETUP.EXE, TROJANTRAP3.EXE, 
TSADBOT.EXE, TVMD.EXE, TVTMD.EXE, UNDOBOOT.EXE, UPDAT.EXE, UPDATE.EXE, 
UPGRAD.EXE, UTPOST.EXE, VBCMSERV.EXE, VBCONS.EXE, VBUST.EXE, 
VBWIN9X.EXE, VBWINNTW.EXE, VCSETUP.EXE, VET32.EXE, VET95.EXE, 
VETTRAY.EXE, VFSETUP.EXE, VIR-HELP.EXE, VIRUSMDPERSONALFIREWALL.EXE, 
VNLAN300.EXE, VNPC3000.EXE, VPC32.EXE, VPC42.EXE, VPFW30S.EXE, 
VPTRAY.EXE, VSCAN40.EXE, VSCENU6.02D30.EXE, VSCHED.EXE, VSECOMR.EXE, 
VSHWIN32.EXE, VSISETUP.EXE, VSMAIN.EXE, VSMON.EXE, VSSTAT.EXE, 
VSWIN9XE.EXE, VSWINNTSE.EXE, VSWINPERSE.EXE, W32DSM89.EXE, W9X.EXE, 
WATCHDOG.EXE, WEBDAV.EXE, WEBSCANX.EXE, WEBTRAP.EXE, WFINDV32.EXE, 
WGFE95.EXE, WHOSWATCHINGME.EXE, WIMMUN32.EXE, WIN-BUGSFIX.EXE, 
WIN32.EXE, WIN32US.EXE, WINACTIVE.EXE, WINDOW.EXE, WINDOWS.EXE, 
WININETD.EXE, WININIT.EXE, WININITX.EXE, WINLOGIN.EXE, WINMAIN.EXE, 
WINNET.EXE, WINPPR32.EXE, WINRECON.EXE, WINSERVN.EXE, WINSSK32.EXE, 
WINSTART.EXE, WINSTART001.EXE, winsys.exe, WINTSK32.EXE, winupd.exe, 
WINUPDATE.EXE, WKUFIND.EXE, WNAD.EXE, WNT.EXE, WRADMIN.EXE, WRCTRL.EXE, 
WSBGATE.EXE, WUPDATER.EXE, WUPDT.EXE, WYVERNWORKSFIREWALL.EXE, 
XPF202EN.EXE, ZAPRO.EXE, ZAPSETUP3001.EXE, ZATUTOR.EXE, ZONALM2601.EXE, 
ZONEALARM.EXE





Name   Troj/Bdoor-ZAT

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Modifies data on the computer
    * Reduces system security
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
Troj/Bdoor-ZAT is a backdoor Trojan for the Windows platform.

The Trojan opens a backdoor on port 63714 and listens for connections 
from remote intruders. The Trojan then can offer a remote shell to the 
intruder.

Advanced
Troj/Bdoor-ZAT is a backdoor Trojan for the Windows platform.

The Trojan opens a backdoor on port 63714 and listens for connections 
from remote intruders. The Trojan then can offer a remote shell to the 
intruder. The Trojan remains active by hooking into the explorer 
process.

Troj/Bdoor-ZAT installs itself in the Windows system folder as 
explorer.exe and userinit.dll.





Name   Troj/Agent-CZ

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet
    * Installs itself in the Registry

Aliases  
    * Trojan-Proxy.Win32.Small.bh

Prevalence (1-5) 2

Description
Troj/Agent-CZ is a Trojan for the Windows platform.

The Trojan attempts to redirect network traffic and download files from 
the internet while running in the background as a process.

Advanced
Troj/Agent-CZ is a Trojan for the Windows platform.

The Trojan attempts to redirect network traffic and download files from 
the internet while running in the background as a process.

Troj/Agent-CZ copies itself to the Windows folder as csrss.exe.

The Trojan creates the following registry entry to run itself 
automatically on user logon:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
System
%WINDOWS\csrss.exe

Troj/Agent-CZ also creates the following registry entry:

HKLM\SOFTWARE\Microsoft\Windows\Port
@
7423





Name   W32/Codbot-Gen

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Steals information
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
Sophos Anti-Virus products detect members of the W32/Codbot family of 
worms as W32/Codbot-Gen.

Worms detected as W32/Codbot-Gen provide backdoor Trojan functionality 
to a remote attacker via IRC channels. Such worms may spread to remote 
network shares with weak passwords in response to a command from a 
remote attacker.

Members of W32/Codbot family typically attempt to exploit 
vulnerabilities, such as the LSASS vulnerability (MS04-011).

Advanced
Sophos Anti-Virus products detect members of the W32/Codbot family of 
worms as W32/Codbot-Gen.

Worms detected as W32/Codbot-Gen provide backdoor Trojan functionality 
to a remote attacker via IRC channels. Such worms may spread to remote 
network shares with weak passwords in response to a command from a 
remote attacker.

Members of W32/Codbot family may copy themselves to the Windows system 
folder and create entries in the following registry entries to run 
themselves when the user logs on:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal

This backdoor functionality typically includes the ability to sniff 
packets, download further malicious code and steal passwords and other 
system information.

W32/Codbot worms may register themselves as service processes.

Members of W32/Codbot family typically attempt to exploit 
vulnerabilities, such as the LSASS vulnerability (MS04-011).





Name   W32/Mytob-W

Type  
    * Worm

How it spreads  
    * Email attachments
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Sends itself to email addresses found on the infected computer
    * Drops more malware
    * Uses its own emailing engine
    * Reduces system security

Aliases  
    * Net-Worm.Win32.Mytob.q
    * WORM_MYTOB.W

Prevalence (1-5) 2

Description
W32/Mytob-W is a mass-mailing network worm with backdoor functionality 
that targets users of Internet Relay Chat programs.

Emails sent by W32/Mytob-W have the following characteristics:

The subject line is one of the following:

Error
Good day
Hello
Mail Delivery System
Mail Transaction Failed
Server Report
Status

The message text is one of the following lines:

Mail transaction failed. Partial message is available.
The message contains Unicode characters and has been sent as a binary 
 attachment.
The message cannot be represented in 7-bit ASCII encoding and has been 
 sent as a binary attachment.
The original message was included as an attachment.
Here are your banks documents

The worm is included as an attachment to the message, either as an 
executable file (with CMD, BAT, DOC, HTM, PIF, SCR, TMP, TXT, EXE or COM 
extension) or as a ZIP file containing the executable. The filename 
(excluding file extension) is chosen from the following list:

BODY
DATA
DOC
DOCUMENT
FILE
MESSAGE
README
TEST
TEXT

Advanced
W32/Mytob-W is a mass-mailing network worm with backdoor functionality 
that targets users of Internet Relay Chat programs.

W32/Mytob-W spreads attached to the email messages or by exploiting 
known vulnerabilities. For details about these vulnerabilities see 
MS04-012 and MS04-011 as for LSASS and RPC/DCOM vulnerability 
correspondingly.

W32/Mytob-W attempts to harvest email addresses from the infected 
system. Emails sent by W32/Mytob-W have the following characteristics:

The subject line is one of the following:

Error
Good day
Hello
Mail Delivery System
Mail Transaction Failed
Server Report
Status

The message text is one of the following lines:

Mail transaction failed. Partial message is available.
The message contains Unicode characters and has been sent as a binary 
 attachment.
The message cannot be represented in 7-bit ASCII encoding and has been 
 sent as a binary attachment.
The original message was included as an attachment.
Here are your banks documents

The worm is included as an attachment to the message, either as an 
executable file (with CMD, BAT, DOC, HTM, PIF, SCR, TMP, TXT, EXE or COM 
extension) or as a ZIP file containing the executable. The filename 
(excluding file extension) is chosen from the following list:

BODY
DATA
DOC
DOCUMENT
FILE
MESSAGE
README
TEST
TEXT

Once executed W32/Mytob-W copies itself to the Windows system folder 
with the filenames NETHELL.EXE and TASKGMR.EXE, and in order to be able 
to run automatically when Windows starts up sets the registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
WINTASK
taskgmr.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
WINTASK
taskgmr.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
WINTASK
taskgmr.exe

Also W32/Mytob-W modifies the following registry entries:

HKCU\SYSTEM\CurrentControlSet\Control\Lsa
WINTASK
taskgmr.exe

HKCU\Software\Microsoft\OLE
WINTASK
taskgmr.exe

HKLM\SOFTWARE\Microsoft\Ole
WINTASK
taskgmr.exe

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
WINTASK
taskgmr.exe

W32/Mytob-W also creates a hellmsn.exe file in the root folder that is 
detected by the W32/Mytob-D and copies itself to the root folder using 
following filenames:

funny_pic.scr
my_photo2005.scr
see_this!!.scr

W32/Mytob-W modifies the system HOSTS file in order to prevent access to 
the following web addresses:

avp.com
ca.com
customer.symantec.com
dispatch.mcafee.com
download.mcafee.com
f-secure.com
kaspersky.com
liveupdate.symantec.com
liveupdate.symantecliveupdate.com
mast.mcafee.com
mcafee.com
my-etrust.com
nai.com
networkassociates.com
rads.mcafee.com
secure.nai.com
securityresponse.symantec.com
sophos.com
symantec.com
trendmicro.com
update.symantec.com
updates.symantec.com
us.mcafee.com
viruslist.com
viruslist.com
www.avp.com
www.ca.com
www.f-secure.com
www.kaspersky.com
www.mcafee.com
www.microsoft.com
www.my-etrust.com
www.nai.com
www.networkassociates.com
www.sophos.com
www.symantec.com
www.trendmicro.com
www.viruslist.com





Name   W32/Reper-A

Type  
    * Worm

Affected operating systems  
    * Windows

Side effects  
    * Installs itself in the Registry
    * Leaves non-infected files on computer

Aliases  
    * Virus.Win32.Repka.a
    * W32/Sautor.worm.gen
    * W32.Reper.A
    * WORM_REPER.A

Prevalence (1-5) 2

Description
W32/Reper-A is a Windows worm.

Advanced
W32/Reper-A is a Windows worm.

When run the worm attempts to copy itself to any logical drives as 
reper.exe and create or overwrite the file autorun.inf which references 
the executable such that it is automatically run.

W32/Reper-A will also copy itself to the Windows folder as viewer.exe 
and to the %WINDOWS%\System32 folder as N0TEPAD.exe (the digit zero 
being used instead of the letter 'O'.)

The following registry entry is created by the worm:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
runreper
%WINDOWS%\viewer.exe

W32/Reper-A also modifies the associated text viewer key from:

HKCR\txtfile\shell\open\command
%SystemRoot%\system32\NOTEPAD.EXE %1

to (again substituting the letter 'O' in NOTEPAD with the digit zero):

HKCR\txtfile\shell\open\command
%WINDOWS%\System32\N0TEPAD.EXE %1

The worm will also attempt to terminate regedit.exe, cmd.exe and 
taskmgr.exe.





Name   W32/Rbot-AAC

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Allows others to access the computer
    * Modifies data on the computer
    * Steals information
    * Drops more malware

Prevalence (1-5) 2

Description
W32/Rbot-AAC is a network worm which attempts to spread via network 
shares. The worm contains backdoor functions that allows unauthorised 
remote access to the infected computer via IRC channels while running in 
the background.

The worm spreads to network shares with weak passwords and also by using 
the RPC-DCOM security exploit (MS03-039).

W32/Rbot-AAC drops the file C:\hellmsn.exe and runs it. This file is 
currently being detected by Sophos as W32/Mytob-H.

Advanced
W32/Rbot-AAC is a network worm which attempts to spread via network 
shares. The worm contains backdoor functions that allows unauthorised 
remote access to the infected computer via IRC channels while running in 
the background.

The worm spreads to network shares with weak passwords and also by using 
the RPC-DCOM security exploit (MS03-039).

When run W32/Rbot-AAC moves itself to the Windows System folder as a 
hidden, read-only, system file named msnmsgs.exe. The worm then copies 
itself to the following filenames:

C:\eminem vs 2pac.scr
C:\funny pic.scr
C:\photo album.scr

The above 3 files have their read-only, hidden, system and archive file 
attributes set.

W32/Rbot-AAC then creates the following registry entries so as to run 
itself on computer logon:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
MSN MESSENGER
msnmsgs.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MSN MESSENGER
msnmsgs.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
MSN MESSENGER
msnmsgs.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MSN MESSENGER
msnmsgs.exe

The worm also creates the following registry entries:

HKCU\SYSTEM\CurrentControlSet\Control\Lsa
MSN MESSENGER
msnmsgs.exe

HKCU\Software\Microsoft\Ole
MSN MESSENGER
msnmsgs.exe

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
MSN MESSENGER
msnmsgs.exe

HKLM\SOFTWARE\Microsoft\Ole
MSN MESSENGER
msnmsgs.exe

The worm changes the following registry entry as follows:

from:
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
Y

to:
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

from:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
dword:00000000

to:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
dword:00000001

Once installed, W32/Rbot-AAC will attempt to perform the following 
actions when instructed to do so by a remote attacker:

scan ports
create an HTTPD server
create a SOCKS4 server
participate in distributed denial of service (DDoS) attacks
download and run files from the Internet
log keystrokes to the file %SYSTEM%\keys.txt
capture clipboard information
terminates anti-virus, security and Windows applications and processes

The worm also prevents accesses to anti-virus and security related 
websites by appending the HOSTS file in the %SYSTEM%\drivers\etc folder 
with the following mappings:

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.trendmicro.com

W32/Rbot-AAC drops the file C:\hellmsn.exe and runs it. This file is 
currently being detected by Sophos as W32/Mytob-H.





Name   Troj/Nuclear-F

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Reduces system security
    * Records keystrokes
    * Installs itself in the Registry

Aliases  
    * Backdoor.Win32.Nuclear.b

Prevalence (1-5) 2

Description
Troj/Nuclear-F is a configurable backdoor Trojan for the Windows 
platform which allows full remote access capabilities via a remote 
client. The Client application allows the creation of server applets 
which act as the backdoor when installed on the infected computer.

Advanced
Troj/Nuclear-F is a configurable backdoor Trojan for the Windows 
platform which allows full remote access capabilities via a remote 
client. The Client application allows the creation of server applets 
which act as the backdoor when installed on the infected computer.

The generated Trojan component can be customised upon creation.

Troj/Nuclear-F may copy itself to a new folder under the Windows folder 
as well as create a helper dll of the same name.

The following registry entry may also be created:

HKLM\Softwae\Classes\dllfile\shell\open\command\

Troj/Nuclear-F may create a number of files including an IP logger 
script and initial script as follows:

logger.php
settings.in

The Trojan is capable of logging keystrokes, monitoring attached media 
devices such as webcams and microphones and interacting with the 
desktop.





Name   WM97/Xaler-A

Type  
    * Virus

How it spreads  
    * Infected files

Affected operating systems  
    * Windows

Aliases  
    * Virus.MSWord.Xaler.a
    * W97M.Lexar.A

Prevalence (1-5) 2

Description
WM97/Xaler-A is a macro virus for Microsoft Word.

On predefined days WM97/Xaler-A will display a message telling the user 
to relax while all of the files on the computer are deleted, although no 
files are actually deleted.





Name   W32/Wurmark-F

Type  
    * Worm

How it spreads  
    * Email messages
    * Email attachments

Affected operating systems  
    * Windows

Side effects  
    * Sends itself to email addresses found on the infected computer
    * Drops more malware
    * Uses its own emailing engine

Aliases  
    * Email-Worm.Win32.Wurmark.g
    * W32/Mugly.h@MM
    * WORM_MUGLY.H

Prevalence (1-5) 2

Description
W32/Wurmark-F is a mass mailing worm which sends itself as a zip 
attachment to email addresses found on the infected computer.

When run the worm displays the image uglym.jpg as it installs itself on 
the computer.

The image displayed by the Wurmark-F worm
The image displayed by the Wurmark-F worm.

W32/Wurmark-F drops several files to the Windows system folder. 
W32/Wurmark-F will drop attached.zip, which is a zip file containing 
W32/Wurmark-F, and xxz.tmp, which is a copy of the worm. W32/Wurmark-F 
will also drop the following clean files:

ANSMTP.DLL
bszip.dll
uglym.jpg

W32/Wurmark-F will drop a file belonging to the W32/Rbot family of worms 
filename svchosts.exe.

W32/Wurmark-F harvests email addresses from files with the extensions:

WAB
ADB
TBB
DBX
ASP
PHP
HTM
HTML
SHT
TXT
DOC

The worm will skip email addresses containing the following strings:

.gov
ada
avg
gri
icro
lavat
mcae
nod
panda
rsky
soph
sophos
symac

The zip file containing W32/Wurmark-F called attached.zip is attached to 
emails sent by the worm appearing to originate from the listed addresses 
containing those below and taking the following forms along with others:

adead_poet@hotmail.com
alex_edwards2000@msn.com
romeorichard@google.com
apiffany@cnet.com

Subject: Hhahahah lol!!!!

Body:

i found this on my computer from ages ago
download it and see if you can remember it
lol i was lauging like mad when i saw it! :D
email me back haha...

Subject: Your Pic On A Website!!

Body:

I was looking at a website and came across
this pic they look just like you! infact im sure
it is lol , did you send this pic into them ? or
is it someonce else :S ? Ive Added the pic in
a zip so download it and check & email me back!

The file within the attachment can have one of the following
names:

Pic_001.jpg.scr
Sexy_09.jpg.scr
Scan_04.jpg.scr

Advanced
W32/Wurmark-F is a mass mailing worm which sends itself as a zip 
attachment to email addresses found on the infected computer.

When run the worm displays the image uglym.jpg as it installs itself on 
the computer.

The image displayed by the Wurmark-F worm
The image displayed by the Wurmark-F worm.

W32/Wurmark-F drops several files to the Windows system folder. 
W32/Wurmark-F will drop attached.zip, which is a zip file containing 
W32/Wurmark-F, and xxz.tmp, which is a copy of the worm. W32/Wurmark-F 
will also drop the following clean files:

ANSMTP.DLL
bszip.dll
uglym.jpg

W32/Wurmark-F will drop a file belonging to the W32/Rbot family of worms 
filename svchosts.exe.

W32/Wurmark-F harvests email addresses from files with the extensions:

WAB
ADB
TBB
DBX
ASP
PHP
HTM
HTML
SHT
TXT
DOC

The worm will skip email addresses containing the following strings:

.gov
ada
avg
gri
icro
lavat
mcae
nod
panda
rsky
soph
sophos
symac

The zip file containing W32/Wurmark-F called attached.zip is attached to 
emails sent by the worm appearing to originate from the listed addresses 
below and taking the following forms:

adead_poet@hotmail.com
alex_edwards2000@msn.com
romeorichard@google.com
apiffany@cnet.com
sexy_lil_thing@no-ip.com
cutie_pie@ogrish.com
easy_lay666@lovenet.com
hunk_hogan78@hallmark.com
britany_slut56@sex.com
tit_fuck_909@gmail.com
good_fuck12@yahoo.com
blowjob_lips666@romance.com
tit_fuck_909@paltalk.com
sexy_guy88@aol.com
mucle_bound_hunk892@download.com

Subject: Hhahahah lol!!!!

Body:

i found this on my computer from ages ago
download it and see if you can remember it
lol i was lauging like mad when i saw it! :D
email me back haha...

Subject: Your Pic On A Website!!

Body:

I was looking at a website and came across
this pic they look just like you! infact im sure
it is lol , did you send this pic into them ? or
is it someonce else :S ? Ive Added the pic in
a zip so download it and check & email me back!

Subject: Rate My Pic.......

Body:

Hi ive sent 5 emails now and nobody will rate
my pic!! :( please download and tell me what you
think out of 10 , dont worry if you dont like it
just say i wont be offended p.s i was drunk when
it was taken :P

Subject: You have an Admirer

Body:

Someone has asked us on there behalf to send
you this email and tell you they think you are
wonderfull!!! All the The mystery persons details
you need are enclosed in the attachment :)
please download and respond telling us if you
would like to make further contact with this
person.
Regards Hallmark Admirer Mail Admin.

The file within the attachment can have one of the following
names:

Pic_001.jpg.scr
Sexy_09.jpg.scr
Scan_04.jpg.scr
Photo_01.jpg.scr
admire_001.jpg.scr
is_this_you.jpg.scr
love_04.jpg.scr
for_you.pif





Name   W32/Agobot-RJ

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Allows others to access the computer
    * Modifies data on the computer
    * Deletes files off the computer
    * Steals information

Prevalence (1-5) 2

Description
W32/Agobot-RJ is a network worm with backdoor functionality for the 
Windows platform.

W32/Agobot-RJ is capable of spreading to computers on the local network 
protected by weak passwords.

The backdoor component runs continuously in the background providing 
backdoor access to the computer through IRC channels.

Advanced
W32/Agobot-RJ is a network worm with backdoor functionality for the 
Windows platform.

W32/Agobot-RJ is capable of spreading to computers on the local network 
protected by weak passwords.

When first run, W32/Agobot-RJ copies itself to the Windows system folder 
as updateXPSPC.exe and creates the following registry entries to run 
itself each time a user logs on:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
USB 2.0 Driver
updateXPSPC.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
USB 2.0 Driver
updateXPSPC.exe

The backdoor component runs continuously in the background providing 
backdoor access to the computer through IRC channels. The backdoor 
component can be instructed to perform the following functions:

harvest email addresses
steal product registration information for certain software
take part in Distributed Denial of Service (DDoS) attacks
scan networks for vulnerabilities
download/execute arbitrary files
start a proxy server (SOCKS4/SOCKS5)
start/stop system services
monitor network communications (packet sniffing)
add/remove network shares
send email
log keypresses

W32/Agobot-RJ attempts to terminate and disable various anti-virus and 
security related programs and modifies the HOSTS file located at 
<Windows system folder>\Drivers\etc\HOSTS, mapping selected anti-virus 
websites to the loopback address 127.0.0.1 in an attempt to prevent 
access to these sites. Typically the following mappings will be appended 
to the HOSTS file:

127.0.0.1 avp.com
127.0.0.1 ca.com
127.0.0.1 customer.symantec.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 mast.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 nai.com
127.0.0.1 networkassociates.com
127.0.0.1 rads.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 sophos.com
127.0.0.1 symantec.com
127.0.0.1 trendmicro.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 www.avp.com
127.0.0.1 www.ca.com
127.0.0.1 www.f-secure.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.mcafee.com
127.0.0.1 www.my-etrust.com
127.0.0.1 www.nai.com
127.0.0.1 www.networkassociates.com
127.0.0.1 www.sophos.com
127.0.0.1 www.symantec.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.viruslist.com

W32/Agobot-RJ attempts to terminate the following processes:

_AVP32.EXE
_AVPCC.EXE
_AVPM.EXE
ACKWIN32.EXE
ADAWARE.EXE
ADVXDWIN.EXE
AGENTSVR.EXE
AGENTW.EXE
ALERTSVC.EXE
ALEVIR.EXE
ALOGSERV.EXE
AMON9X.EXE
ANTI-TROJAN.EXE
ANTIVIRUS.EXE
ANTS.EXE
APIMONITOR.EXE
APLICA32.EXE
APVXDWIN.EXE
ARR.EXE
ATCON.EXE
ATGUARD.EXE
ATRO55EN.EXE
ATUPDATER.EXE
ATWATCH.EXE
AU.EXE
AUPDATE.EXE
AUTO-PROTECT.NAV80TRY.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVCONSOL.EXE
AVE32.EXE
AVGCC32.EXE
AVGCTRL.EXE
AVGNT.EXE
AVGSERV.EXE
AVGSERV9.EXE
AVGUARD.EXE
AVGW.EXE
AVKPOP.EXE
AVKSERV.EXE
AVKSERVICE.EXE
AVKWCTl9.EXE
AVLTMAIN.EXE
AVNT.EXE
AVP.EXE
AVP32.EXE
AVPCC.EXE
AVPDOS32.EXE
AVPM.EXE
AVPTC32.EXE
AVPUPD.EXE
AVSCHED32.EXE
AVSYNMGR.EXE
AVWIN95.EXE
AVWINNT.EXE
AVWUPD.EXE
AVWUPD32.EXE
AVWUPSRV.EXE
AVXMONITOR9X.EXE
AVXMONITORNT.EXE
AVXQUAR.EXE
BACKWEB.EXE
BARGAINS.EXE
BD_PROFESSIONAL.EXE
BEAGLE.EXE
BELT.EXE
BIDEF.EXE
BIDSERVER.EXE
BIPCP.EXE
BIPCPEVALSETUP.EXE
BISP.EXE
BLACKD.EXE
BLACKICE.EXE
BLSS.EXE
BOOTCONF.EXE
BOOTWARN.EXE
BORG2.EXE
BPC.EXE
BRASIL.EXE
BS120.EXE
BUNDLE.EXE
BVT.EXE
CCAPP.EXE
CCEVTMGR.EXE
CCPXYSVC.EXE
CDP.EXE
CFD.EXE
CFGWIZ.EXE
CFIADMIN.EXE
CFIAUDIT.EXE
CFINET.EXE
CFINET32.EXE
Claw95.EXE
CLAW95CF.EXE
CLEAN.EXE
CLEANER.EXE
CLEANER3.EXE
CLEANPC.EXE
CLICK.EXE
CMD32.EXE
CMESYS.EXE
CMGRDIAN.EXE
CMON016.EXE
CONNECTIONMONITOR.EXE
CPD.EXE
CPF9X206.EXE
CPFNT206.EXE
CTRL.EXE
CV.EXE
CWNB181.EXE
CWNTDWMO.EXE
DATEMANAGER.EXE
DCOMX.EXE
DEFALERT.EXE
DEFSCANGUI.EXE
DEFWATCH.EXE
DEPUTY.EXE
DIVX.EXE
DLLCACHE.EXE
DLLREG.EXE
DOORS.EXE
DPF.EXE
DPFSETUP.EXE
DPPS2.EXE
DRWATSON.EXE
DRWEB32.EXE
DRWEBUPW.EXE
DSSAGEN