Tillbaka till svenska Fidonet
English   Information   Debug  
TRAPDOOR   0/19
TREK   0/755
TUB   0/290
UFO   0/40
UNIX   0/1316
USA_EURLINK   0/102
USR_MODEMS   0/1
VATICAN   0/2740
VIETNAM_VETS   0/14
VIRUS   0/378
VIRUS_INFO   0/201
VISUAL_BASIC   0/473
WHITEHOUSE   0/5187
WIN2000   0/101
WIN32   0/30
WIN95   0/4289
WIN95_OLD1   0/70272
WINDOWS   0/1517
WWB_SYSOP   0/419
WWB_TECH   0/810
ZCC-PUBLIC   0/1
ZEC   4

 
4DOS   0/134
ABORTION   0/7
ALASKA_CHAT   0/506
ALLFIX_FILE   0/1313
ALLFIX_FILE_OLD1   0/7997
ALT_DOS   0/152
AMATEUR_RADIO   0/1039
AMIGASALE   0/14
AMIGA   0/331
AMIGA_INT   0/1
AMIGA_PROG   0/20
AMIGA_SYSOP   0/26
ANIME   0/15
ARGUS   0/924
ASCII_ART   0/340
ASIAN_LINK   0/651
ASTRONOMY   0/417
AUDIO   0/92
AUTOMOBILE_RACING   0/105
BABYLON5   0/17862
BAG   135
BATPOWER   0/361
BBBS.ENGLISH   0/382
BBSLAW   0/109
BBS_ADS   0/5290
BBS_INTERNET   0/507
BIBLE   0/3563
BINKD   0/1119
BINKLEY   0/215
BLUEWAVE   0/2173
CABLE_MODEMS   0/25
CBM   0/46
CDRECORD   0/66
CDROM   0/20
CLASSIC_COMPUTER   0/378
COMICS   0/15
CONSPRCY   0/899
COOKING   33421
COOKING_OLD1   0/24719
COOKING_OLD2   0/40862
COOKING_OLD3   0/37489
COOKING_OLD4   0/35496
COOKING_OLD5   9370
C_ECHO   0/189
C_PLUSPLUS   0/31
DIRTY_DOZEN   0/201
DOORGAMES   0/2065
DOS_INTERNET   0/196
duplikat   6002
ECHOLIST   0/18295
EC_SUPPORT   0/318
ELECTRONICS   0/359
ELEKTRONIK.GER   1534
ENET.LINGUISTIC   0/13
ENET.POLITICS   0/4
ENET.SOFT   0/11701
ENET.SYSOP   33945
ENET.TALKS   0/32
ENGLISH_TUTOR   0/2000
EVOLUTION   0/1335
FDECHO   0/217
FDN_ANNOUNCE   0/7068
FIDONEWS   24159
FIDONEWS_OLD1   0/49742
FIDONEWS_OLD2   0/35949
FIDONEWS_OLD3   0/30874
FIDONEWS_OLD4   0/37224
FIDO_SYSOP   12852
FIDO_UTIL   0/180
FILEFIND   0/209
FILEGATE   0/212
FILM   0/18
FNEWS_PUBLISH   4436
FN_SYSOP   41706
FN_SYSOP_OLD1   71952
FTP_FIDO   0/2
FTSC_PUBLIC   0/13613
FUNNY   0/4886
GENEALOGY.EUR   0/71
GET_INFO   105
GOLDED   0/408
HAM   0/16074
HOLYSMOKE   0/6791
HOT_SITES   0/1
HTMLEDIT   0/71
HUB203   466
HUB_100   264
HUB_400   39
HUMOR   0/29
IC   0/2851
INTERNET   0/424
INTERUSER   0/3
IP_CONNECT   719
JAMNNTPD   0/233
JAMTLAND   0/47
KATTY_KORNER   0/41
LAN   0/16
LINUX-USER   0/19
LINUXHELP   0/1155
LINUX   0/22112
LINUX_BBS   0/957
mail   18.68
mail_fore_ok   249
MENSA   0/341
MODERATOR   0/102
MONTE   0/992
MOSCOW_OKLAHOMA   0/1245
MUFFIN   0/783
MUSIC   0/321
N203_STAT   930
N203_SYSCHAT   313
NET203   321
NET204   69
NET_DEV   0/10
NORD.ADMIN   0/101
NORD.CHAT   0/2572
NORD.FIDONET   189
NORD.HARDWARE   0/28
NORD.KULTUR   0/114
NORD.PROG   0/32
NORD.SOFTWARE   0/88
NORD.TEKNIK   0/58
NORD   0/453
OCCULT_CHAT   0/93
OS2BBS   0/787
OS2DOSBBS   0/580
OS2HW   0/42
OS2INET   0/37
OS2LAN   0/134
OS2PROG   0/36
OS2REXX   0/113
OS2USER-L   207
OS2   0/4786
OSDEBATE   0/18996
PASCAL   0/490
PERL   0/457
PHP   0/45
POINTS   0/405
POLITICS   0/29554
POL_INC   0/14731
PSION   103
R20_ADMIN   1123
R20_AMATORRADIO   0/2
R20_BEST_OF_FIDONET   13
R20_CHAT   0/893
R20_DEPP   0/3
R20_DEV   399
R20_ECHO2   1379
R20_ECHOPRES   0/35
R20_ESTAT   0/719
R20_FIDONETPROG...
...RAM.MYPOINT
  0/2
R20_FIDONETPROGRAM   0/22
R20_FIDONET   0/248
R20_FILEFIND   0/24
R20_FILEFOUND   0/22
R20_HIFI   0/3
R20_INFO2   3249
R20_INTERNET   0/12940
R20_INTRESSE   0/60
R20_INTR_KOM   0/99
R20_KANDIDAT.CHAT   42
R20_KANDIDAT   28
R20_KOM_DEV   112
R20_KONTROLL   0/13300
R20_KORSET   0/18
R20_LOKALTRAFIK   0/24
R20_MODERATOR   0/1852
R20_NC   76
R20_NET200   245
R20_NETWORK.OTH...
...ERNETS
  0/13
R20_OPERATIVSYS...
...TEM.LINUX
  0/44
R20_PROGRAMVAROR   0/1
R20_REC2NEC   534
R20_SFOSM   0/341
R20_SF   0/108
R20_SPRAK.ENGLISH   0/1
R20_SQUISH   107
R20_TEST   2
R20_WORST_OF_FIDONET   12
RAR   0/9
RA_MULTI   106
RA_UTIL   0/162
REGCON.EUR   0/2056
REGCON   0/13
SCIENCE   0/1206
SF   0/239
SHAREWARE_SUPPORT   0/5146
SHAREWRE   0/14
SIMPSONS   0/169
STATS_OLD1   0/2539.065
STATS_OLD2   0/2530
STATS_OLD3   0/2395.095
STATS_OLD4   0/1692.25
SURVIVOR   0/495
SYSOPS_CORNER   0/3
SYSOP   0/84
TAGLINES   0/112
TEAMOS2   0/4530
TECH   0/2617
TEST.444   0/105
Möte VIRUS, 378 texter
 lista första sista föregående nästa
Text 112, 982 rader
Skriven 2005-04-16 23:07:00 av KURT WISMER (1:123/140)
Ärende: News, April 16 2005
===========================
[cut-n-paste from sophos.com]

Name   Troj/DoomSend-A

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Exploits system or software vulnerabilities

Aliases  
    * Backdoor.Win32.Naninf.c

Prevalence (1-5) 2

Description
Troj/DoomSend-A is a Trojan for the Windows platform.

Troj/DoomSend-A is capable of exploiting a backdoor in the W32/MyDoom 
series of worms. The Trojan may be used by other Trojans or worms as a 
helper component.

Troj/DoomSend-A may arrive as an email attachment named "Screenshot of 
Site.zip" along with the following email text:

Hello,

I noticed whilst browsing your site that there were problems with some 
of your links, when I tried again with Internet Explorer the problems 
were not there so I assume that they were caused by me using the Mozilla 
browser.

As more people are turning to alternative browsers now it may be of help
for you to know this. I have enclosed a screen capture of the problem so
your team can get it fixed if you deem it an issue.





Name   W32/Tirbot-D

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Allows others to access the computer
    * Deletes files off the computer
    * Downloads code from the internet
    * Reduces system security

Prevalence (1-5) 2

Description
W32/Tirbot-D is a network worm with backdoor functionality for the 
Windows platform.

The worm spreads to network computers vulnerable to the LSASS 
vulnerability (MS04-011) and through network shares protected by weak 
passwords.

The backdoor component joins one of 4 predetermined IRC channels and 
awaits further commands from remote users. The backdoor component can 
then be instructed to perform the following:

Take part in distributed denial of service (DDoS) attacks
Upload/download files
Execute files
Serve as a proxy server
Harvest information from the system registry
Report filesystem information
List running processes
Scan for the presence anti-virus software
Terminate running processes
Remove registry entries

Advanced
W32/Tirbot-D is a network worm with backdoor functionality for the 
Windows platform.

The worm spreads to network computers vulnerable to the LSASS 
vulnerability (MS04-011) and through network shares protected by weak 
passwords.

The backdoor component joins one of 4 predetermined IRC channels and 
awaits further commands from remote users. The backdoor component can 
then be instructed to perform the following:

Take part in distributed denial of service (DDoS) attacks
Upload/download files
Execute files
Serve as a proxy server
Harvest information from the system registry
Report filesystem information
List running processes
Scan for the presence anti-virus software
Terminate running processes
Remove registry entries

W32/Tirbot-D will attempt to report the infection to a predefined URL.

When first run, W32/Tirbot-D copies itself to the Windows system folder 
as MSDTCs.exe and sets the following registry entry in order to run each 
time a user logs on:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
IECheck
<Windows system folder>\MSDTCs.exe

A patch is available from Microsoft for the LSASS vulnerability 
exploited by W32/Tirbot-D:

http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx





Name   W32/Kelvir-J

Type  
    * Worm

How it spreads  
    * Chat programs

Affected operating systems  
    * Windows

Side effects  
    * Drops more malware

Aliases  
    * W32/Kelvir.worm.gen
    * W32.Kelvir.T

Prevalence (1-5) 2

Description
W32/Kelvir-J is an instant messaging worm.

W32/Kelvir-J spreads by sending a message through Windows Messenger to 
all of the infected user's contacts.

W32/Kelvir-J encourages the recipient to visit a website to download a 
file which is usually a copy of the worm. The message text is "it's you 
<URL>".

W32/Kelvir-J may also drop a file detected by Sophos as W32/Sdbot-XE.





Name   Troj/BagleDl-N

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Drops more malware

Aliases  
    * Email-Worm.Win32.Bagle.pac

Prevalence (1-5) 2

Description
Troj/BagleDl-N is a Trojan dropper.

Troj/BagleDl-N creates two randomly named files in the user's temp 
folder. One file has an extension of TXT and contains the text 'Sorry.' 
The other file has an extension of EXE and is a Trojan detected by 
Sophos's anti-virus products as Troj/BagDl-Gen.

Troj/BagleDl-N has been distributed as a RAR archive attached to email.





Name   W32/Sdbot-XC

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Allows others to access the computer
    * Drops more malware
    * Reduces system security
    * Records keystrokes
    * Installs itself in the Registry

Aliases  
    * Backdoor.Win32.Agobot.abl
    * W32/Sdbot.worm.gen.w

Prevalence (1-5) 2

Description
W32/Sdbot-XC is a network worm with backdoor functionality for the 
Windows platform.

The worm spreads through network shares protected by weak passwords, 
MS-SQL servers and through various operating system vulnerabilities.

Patches for the vulnerabilities exploited by W32/Sdbot-XC can be 
obtained from Microsoft at:

http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx
http://www.microsoft.com/technet/security/bulletin/ms03-039.mspx

Advanced
W32/Sdbot-XC is a network worm with backdoor functionality for the 
Windows platform.

When first run, W32/Sdbot-XC copies itself to the Windows system folder 
as systeminfos.exe and creates the following registry entries in order 
to run each time a user logs on:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Compaq Service Drivers
systeminfos.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Compaq Service Drivers
systeminfos.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Compaq Service Drivers
systeminfos.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices\
Compaq Service Drivers
systeminfos.exe

The worm spreads through network shares protected by weak passwords, 
MS-SQL servers and through various operating system vulnerabilities.

W32/Sdbot-XC connects to a predetermined IRC channel and awaits further 
commands from remote users. The backdoor component of W32/Sdbot-XC can 
be instructed to perform the following functions:

scan networks for vulnerabilities
download/execute arbitrary files
start an ftp server

Patches for the vulnerabilities exploited by W32/Sdbot-XC can be 
obtained from Microsoft at:

http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx
http://www.microsoft.com/technet/security/bulletin/ms03-039.mspx

W32/Sdbot-XC also drops a file to the current folder as msdirectx.sys. 
The dropped file is detected by Sophos's anti-virus products as 
Troj/NtRootK-F.

W32/Sdbot-XC terminates a number of processes including ones related to 
various AV and security applications as well as TASKMGR.EXE and 
REGEDIT.EXE.





Name   Troj/Agent-DI

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Allows others to access the computer
    * Modifies data on the computer
    * Records keystrokes
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
Troj/Agent-DI is a backdoor Trojan for the Windows platform.

Troj/Agent-DI allows unauthorised remote access to the infected 
computer, running in the background waiting for commands from a remote 
intruder. The Trojan can be instructed to download and run arbitrary 
files.

Troj/Agent-DI may disable the Windows Firewall and turn off notification 
of lack of Anti-virus software on the computer. The Trojan may also 
download configuration data from:

http://bn.inf3ct3d.info

Advanced
Troj/Agent-DI is a backdoor Trojan for the Windows platform.

Troj/Agent-DI allows unauthorised remote access to the infected 
computer, running in the background waiting for commands from a remote 
intruder. The Trojan can be instructed to download and run arbitrary 
files.

Troj/Agent-DI may disable the Windows Firewall and turn off notification 
of lack of Anti-virus software on the computer. The Trojan may also 
download configuration data from:

http://bn.inf3ct3d.info

Troj/Agent-DI copies itself to the Windows system folder as 
"svchost.exe" and creates a DLL file named "svchost.dll". The Trojan 
sets the following registry entry in order to run automatically on 
computer login:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
WindowsUpdate =
%System%\svchost.exe /s

Troj/Agent-DI creates registry entries for its own use under:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellBot

The Trojan attempts to reduce system security by altering the following 
registry entries:

HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters
\FirewallPolicy\StandardProfile\EnableFireWall

HKLM\SOFTWARE\Microsoft\Security Center\FireWallDisableNotify

HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify





Name   W32/Codbot-K

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Downloads code from the internet
    * Reduces system security
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Aliases  
    * Backdoor.Win32.Codbot.z
    * W32/Gaobot.worm.gen.q
    * W32.Randex

Prevalence (1-5) 2

Description
W32/Codbot-K is a network worm with backdoor functionality for the 
Windows platform.

The worm connects to an IRC channel and listens for backdoor commands 
from a remote attacker. The backdoor functionality of the worm includes 
the ability to sniff packets, download further malicious code and steal 
passwords and other system information.

Advanced
W32/Codbot-K is a network worm with backdoor functionality for the 
Windows platform.

The worm connects to an IRC channel and listens for backdoor commands 
from a remote attacker. The backdoor functionality of the worm includes 
the ability to sniff packets, download further malicious code and steal 
passwords and other system information.

When first run, W32/Codbot-K copies itself to the Windows system folder 
as SCardClnt.exe and installs itself as a service with these attributes:

servicename = SCardClnt
displayname = "Smart Card Client"
imagepath = <Windows system folder>SCardClnt.exe

W32/Codbot-K may make the following change to the system registry:

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

W32/Codbot-K may attempt to exploit a number of vulnerabilities, 
including the LSASS vulnerability (MS04-011).

Patche for the operating system vulnerability exploited by W32/Codbot-K 
can be obtained from Microsoft at:

http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx





Name   Troj/Bancos-CD

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Steals information
    * Forges the sender's email address
    * Uses its own emailing engine
    * Reduces system security
    * Records keystrokes
    * Installs itself in the Registry

Aliases  
    * Trojan-Spy.Win32.Bancos.cr
    * TROJ_BANCOS.XZ

Prevalence (1-5) 2

Description
Troj/Bancos-CD is a password stealing Trojan for the Windows platform 
that targets customers of Brazilian banks.

Troj/Bancos-CD monitors a user's internet access, and when certain 
internet banking sites are visited, the Trojan will display a fake login 
screen in order to trick the user into inputting their details.

Advanced
Troj/Bancos-CD is a password stealing Trojan for the Windows platform 
that targets customers of Brazilian banks.

Once executed Troj/Bancos-CD displays a fake error message, copies 
itself to the root and to the Arquivos de programas folder on the C: 
drive with the filename IExplorer.exe, and sets the following registry 
entry in order to be able to run automatically when Windows starts up :

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
IExplorer
C:\Arquivos de programas\IExplorer.EXE

Troj/Bancos-CD monitors a user's internet access, and when certain 
internet banking sites are visited, the Trojan will display a fake login 
screen in order to trick the user into inputting their details.

Troj/Bancos-CD also creates an appstart32.inf data file in the Windows 
inf folder.





Name   W32/Mytob-E

Type  
    * Worm

How it spreads  
    * Email attachments

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Modifies data on the computer
    * Uses its own emailing engine
    * Installs itself in the Registry

Aliases  
    * Net-Worm.Win32.Mytob.h
    * W32/Mytob.gen@MM
    * WORM_MYTOB.J

Prevalence (1-5) 2

Description
W32/Mytob-E is a mass-mailing worm and backdoor Trojan that targets 
users of Internet Relay Chat programs.

Advanced
W32/Mytob-E is a mass-mailing worm and backdoor Trojan that targets 
users of Internet Relay Chat programs.

When first run W32/Mytob-E copies itself to the Windows system folder as 
taskgmr.exe and creates the following registry entries:

HKCU\Software\Microsoft\OLE
WINTASK
taskgmr.exe

HKCU\SYSTEM\CurrentControlSet\Control\Lsa
WINTASK
taskgmr.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
WINTASK
taskgmr.exe

HKLM\SOFTWARE\Microsoft\Ole
WINTASK
taskgmr.exe

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
WINTASK
taskgmr.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WINTASK
taskgmr.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
WINTASK
taskgmr.exe

W32/Mytob-E copies itself to the root folder as:

funny_pic.scr
my_photo2005.scr
see_this!!.scr

and creates the helper file hellmsn.exe (detected by Sophos as 
W32/Mytob-D) in the same location.

W32/Mytob-E also appends the following to the HOSTS file to deny access 
to security related websites:

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.trendmicro.com





Name   W32/Mytob-AX

Type  
    * Worm

How it spreads  
    * Email attachments
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Sends itself to email addresses found on the infected computer
    * Modifies data on the computer
    * Deletes files off the computer
    * Steals information

Aliases  
    * W32/Mytob.x@MM

Prevalence (1-5) 2

Description
W32/Mytob-AX is a mass-mailing worm and backdoor Trojan that targets 
users of Internet Relay Chat programs.

W32/Mytob-AX is capable of spreading through email and through various 
operating system vulnerabilities such as LSASS (MS04-011).

W32/Mytob-AX harvests email addresses from files on the infected 
computer and from the Windows address book and sends itself as an 
attachment to each address found.

Advanced
W32/Mytob-AX is a mass-mailing worm and backdoor Trojan that targets 
users of Internet Relay Chat programs.

When first run W32/Mytob-AX copies itself to the Windows system folder 
as hostdrvXP.exe and creates the following registry entries:

HKCU\Software\Microsoft\OLE
WINTASKMANAGER
hostdrvXP.exe

HKCU\System\CurrentControlSet\Control\Lsa
WINTASKMANAGER
hostdrvXP.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
WINTASKMANAGER
hostdrvXP.exe

HKLM\Software\Microsoft\Ole
WINTASKMANAGER
hostdrvXP.exe

HKLM\System\CurrentControlSet\Control\Lsa
WINTASKMANAGER
hostdrvXP.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
WINTASKMANAGER
hostdrvXP.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
WINTASKMANAGER
hostdrvXP.exe

W32/Mytob-AX copies itself to the root folder as:

funny_pic.scr
my_photo2005.scr
see_this!!.scr

and drops a file called hellmsn.exe (detected by Sophos as W32/Mytob-D) 
in the same location. This component attempts to spread the worm by 
sending the aforementioned SCR files through Windows Messenger to all 
online contacts.

W32/Mytob-AX also appends the following to the HOSTS file to deny access 
to security related websites:

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.trendmicro.com

W32/Mytob-AX is capable of spreading through email and through various 
operating system vulnerabilities such as LSASS (MS04-011). Email sent by 
W32/Mytob-AX has the following properties:

Subject line:

document
Good day
Hello
Mail Delivery System
Mail Transaction Failed
message
readme
Server Report
Status

Message text:

Here are your banks documents.

The original message was included as an attachment.

The message cannot be represented in 7-bit ASCII encoding and has been 
sent as a binary attachment.

The message contains Unicode characters and has been sent as a binary 
attachment.

Mail transaction failed. Partial message is available.

The message cannot be represented in 7-bit ASCII encoding and has been 
sent as a binary attachment.

The attached file consists of a base name followed by the extentions 
PIF, SCR, EXE or ZIP. The worm may optionally create double extensions 
where the first extension is DOC, TXT or HTM and the final extension is 
PIF, SCR, EXE or ZIP.

W32/Mytob-AX harvests email addresses from files on the infected 
computer and from the Windows address book. The worm avoids sending 
email to address that contain the following:

.gov
.mil
accoun
acketst
admin
anyone
arin.
avp
berkeley
borlan
bsd
bsd
bugs
ca
certific
contact
example
feste
fido
foo.
fsf.
gnu
gold-certs
google
google
gov.
help
iana
ibm.com
icrosof
icrosoft
ietf
info
inpris
isc.o
isi.e
kernel
linux
linux
listserv
math
me
mit.e
mozilla
mydomai
no
nobody
nodomai
noone
not
nothing
ntivi
page
panda
pgp
postmaster
privacy
rating
rfc-ed
ripe.
root
ruslis
samples
secur
sendmail
service
site
soft
somebody
someone
sopho
submit
support
syma
tanford.e
the.bat
unix
unix
usenet
utgers.ed
webmaster
you
your





Name   W32/Rbot-AAJ

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Modifies data on the computer
    * Deletes files off the computer
    * Steals information
    * Uses its own emailing engine

Aliases  
    * Backdoor.Win32.Rbot.gen

Prevalence (1-5) 2

Description
W32/Rbot-AAJ is a worm with backdoor Trojan functionality.

W32/Rbot-AAJ is capable of spreading to computers on the local network 
protected by weak passwords after receiving the appropriate backdoor 
command. W32/Rbot-AAJ will also attempt to spread by exploiting a number 
of software vulnerabilities.

Advanced
W32/Rbot-AAJ is a worm with backdoor Trojan functionality.

W32/Rbot-AAJ is capable of spreading to computers on the local network 
protected by weak passwords after receiving the appropriate backdoor 
command.

W32/Rbot-AAJ will attempt to spread by exploiting the following 
vulnerabilities:

DCOM (MS04-012)
LSASS (MS04-011)
Microsoft SQL servers with weak passwords

When first run, W32/Rbot-AAJ moves itself to the Windows system folder 
as WINTSK32DLL.EXE. In order to run automatically each time a user logs 
in, W32/Rbot-AAJ will set the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
wintsk32dll
wintsk32dll.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
wintsk32dll
wintsk32dll.exe

W32/Rbot-AAJ will also set the following registry entry:

HKCU\Software\Microsoft\OLE
wintsk32dll
wintsk32dll.exe

The worm runs continuously in the background, providing backdoor access 
to the infected computer over IRC channels.

W32/Rbot-AAJ may modify the following registry entries in order to 
enable/disable DCOM and open/close restrictions on IPC$ shares:

HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous





Name   Troj/Agent-DH

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Modifies data on the computer
    * Downloads code from the internet
    * Reduces system security
    * Installs itself in the Registry

Aliases  
    * BackDoor-COC
    * Trojan.Win32.Dialer.gq

Prevalence (1-5) 2

Description
Troj/Agent-DH is a backdoor Trojan.

Troj/Agent-DH will contact a preconfigured remote location to report 
that the computer has been infected and will then await backdoor 
commands. Troj/Agent-DH can be used to download, upload, modify and run 
executable files. The Trojan can also be used to modify registry entries 
and kill processes.

Advanced
Troj/Agent-DH is a backdoor Trojan.

Troj/Agent-DH will contact a preconfigured remote location to report 
that the computer has been infected and will then await backdoor 
commands. Troj/Agent-DH can be used to download, upload, modify and run 
executable files. The Trojan can also be used to modify registry entries 
and kill processes.

When first run, Troj/Agent-DH will copy itself to the user's Temporary 
folder as DC.EXE. In order to run automatically each time a user logs 
in, Troj/Agent-DH will set the following registry entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
BD
<path to Trojan>

Troj/Agent-DH will create a log file named BACKDOOR.LOG in the user's 
Temporary folder.

 
--- MultiMail/Win32 v0.43
 * Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)