Text 117, 2140 rader
Skriven 2005-05-28 17:17:00 av KURT WISMER (1:123/140)
Ärende: News, May 28 2005
=========================
[cut-n-paste from sophos.com]
Name W32/Mytob-CN
Type
* Worm
How it spreads
* Email messages
* Email attachments
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Modifies data on the computer
* Deletes files off the computer
* Uses its own emailing engine
Prevalence (1-5) 3
Description
W32/Mytob-CN is a mass-mailing worm and IRC backdoor Trojan.
W32/Mytob-CN can spread by sending itself as an email attachment to
email addresses it harvests from the infected computer.
Advanced
W32/Mytob-CN is a mass-mailing worm and IRC backdoor Trojan.
W32/Mytob-CN runs continuously in the background, providing a backdoor
server which allows a remote intruder to gain access and control over
the computer via IRC channels.
W32/Mytob-CN can spread by sending itself as an email attachment to
email addresses it harvests from the infected computer.
Emails sent by the worm have the following characteristics:
Subject:
Security measures
Notice: **Last Warning**
*DETECTED* Online User Violation
Your Email Account is Suspended For Security Reasons
Account Alert
Important Notification
*WARNING* Your Email Account Will Be Closed
Email Account Suspension
Notice of account limitation
Message text:
Once you have completed the form in the attached file , your account
records will not be interrupted and will continue as normal.
The original message has been included as an attachment.
We regret to inform you that your account has been suspended due to the
violation of our site policy, more info is attached.
We attached some important information regarding your account.
Please read the attached document and follow it's instructions.
When first run W32/Mytob-CN copies itself to <Windows system>\nec.exe.
The following registry entries are created to run nec.exe on startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
WINDOWS SYSTEM
nec.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
WINDOWS SYSTEM
nec.exe
W32/Mytob-CN sets the following registry entries, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4
W32/Mytob-CN modifies the Windows hosts file in order to block access to
the following security-related websites:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.microsoft.com
127.0.0.1 microsoft.com
127.0.0.1 www.msn.com
127.0.0.1 www.virustotal.com
127.0.0.1 virustotal.com
Name W32/Mytob-L
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Sends itself to email addresses found on the infected computer
* Forges the sender's email address
Prevalence (1-5) 3
Description
W32/Mytob-L is a mass-mailing worm with IRC backdoor functionality.
W32/Mytob-L runs continuously in the background, providing a backdoor
server which allows a remote intruder to gain access and control over
the computer via IRC channels
W32/Mytob-L can spread by sending itself as an email attachment to email
addresses it harvests from the infected computer.
Emails sent by the worm have the following characteristics:
Subject:
Security measures
Notice: **Last Warning**
*DETECTED* Online User Violation
Your Email Account is Suspended For Security Reasons
Account Alert
Important Notification
*WARNING* Your Email Account Will Be Closed
Email Account Suspension
Notice of account limitation
Body:
Once you have completed the form in the attached file , your account
records will not be interrupted and will continue as normal.
The original message has been included as an attachment.
We regret to inform you that your account has been suspended due to the
violation of our site policy, more info is attached.
We attached some important information regarding your account.
Please read the attached document and follow it's instructions.
Advanced
W32/Mytob-L is a mass-mailing worm with IRC backdoor functionality.
W32/Mytob-L runs continuously in the background, providing a backdoor
server which allows a remote intruder to gain access and control over
the computer via IRC channels
W32/Mytob-L can spread by sending itself as an email attachment to email
addresses it harvests from the infected computer.
Emails sent by the worm have the following characteristics:
Subject:
Security measures
Notice: **Last Warning**
*DETECTED* Online User Violation
Your Email Account is Suspended For Security Reasons
Account Alert
Important Notification
*WARNING* Your Email Account Will Be Closed
Email Account Suspension
Notice of account limitation
Body:
Once you have completed the form in the attached file , your account
records will not be interrupted and will continue as normal.
The original message has been included as an attachment.
We regret to inform you that your account has been suspended due to the
violation of our site policy, more info is attached.
We attached some important information regarding your account.
Please read the attached document and follow it's instructions.
When first run W32/Mytob-L copies itself to
<Windows system folder>\nec.exe.
The following registry entries are created to run nec.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WINDOWS SYSTEM
nec.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
WINDOWS SYSTEM
nec.exe
W32/Mytob-L sets the following registry entries, disabling the automatic
startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4
W32/Mytob-L modifies the Windows hosts file in order to block access to
the following security-related websites:
127.0.0.1 avp.com
127.0.0.1 ca.com
127.0.0.1 customer.symantec.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 f-secure.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 kaspersky.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 mast.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 microsoft.com
127.0.0.1 my-etrust.com
127.0.0.1 nai.com
127.0.0.1 networkassociates.com
127.0.0.1 rads.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 sophos.com
127.0.0.1 symantec.com
127.0.0.1 trendmicro.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 virustotal.com
127.0.0.1 www.avp.com
127.0.0.1 www.ca.com
127.0.0.1 www.f-secure.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.mcafee.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.msn.com
127.0.0.1 www.my-etrust.com
127.0.0.1 www.nai.com
127.0.0.1 www.networkassociates.com
127.0.0.1 www.sophos.com
127.0.0.1 www.symantec.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.viruslist.com
127.0.0.1 www.virustotal.com
Name W32/Mytob-I
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Forges the sender's email address
* Uses its own emailing engine
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Net-Worm.Win32.Mytob.gen
* W32/Mytob.gen@MM
Prevalence (1-5) 3
Description
W32/Mytob-I is a mass-mailing worm with IRC backdoor functionality.
W32/Mytob-I can spread by sending itself as an email attachment to email
addresses it harvests from the infected computer, and to computers
vulnerable to the RCP-DCOM (MS04-012) and LSASS (MS04-011) exploits.
Emails sent by the worm have the following characteristics:
Subject:
Server Report
Sensitive information inside
Important documents
F-R-E-E. American Idol Screen Saver
<random>
Body:
Very cool American Idol Screen Saver.
The message contains Unicode characters and has been sent as a binary
attachment.
Mail transaction failed. Partial message is available.
The original message was included as an attachment
The message cannot be represented in 7-bit ASCII encoding and has been
sent as a binary attachment.
Advanced
W32/Mytob-I is a mass-mailing worm with IRC backdoor functionality.
W32/Mytob-I can spread by sending itself as an email attachment to email
addresses it harvests from the infected computer, and to computers
vulnerable to the RCP-DCOM (MS04-012) and LSASS (MS04-011) exploits. The
following patches for the operating system vulnerabilities exploited by
W32/Mytob-I can be obtained from the Microsoft website:
MS04-011
MS04-012
Emails sent by the worm have the following characteristics:
Subject:
Server Report
Sensitive information inside
Important documents
F-R-E-E. American Idol Screen Saver
<random>
Body:
Very cool American Idol Screen Saver.
The message contains Unicode characters and has been sent as a binary
attachment.
Mail transaction failed. Partial message is available.
The original message was included as an attachment
The message cannot be represented in 7-bit ASCII encoding and has been
sent as a binary attachment.
When first run W32/Mytob-I copies itself to:
C:\american_idols.scr
C:\girl_juggling_monkeys.scr
C:\matrix4_screen_saver.scr
<Windows system folder>\scvhost.exe
The following registry entries are created to run scvhost.exe on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
WINTASK
scvhost.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WINTASK
scvhost.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
WINTASK
scvhost.exe
Registry entries are set as follows:
HKCU\SYSTEM\CurrentControlSet\Control\Lsa
WINTASK
scvhost.exe
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
WINTASK
scvhost.exe
HKCU\Software\Microsoft\OLE
WINTASK
scvhost.exe
HKLM\SOFTWARE\Microsoft\Ole
WINTASK
scvhost.exe
W32/Mytob-I blocks access to security-related websites by writing the
folllowing entries to the Windows hosts file:
127.0.0.1 avp.com
127.0.0.1 ca.com
127.0.0.1 customer.symantec.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 mast.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 nai.com
127.0.0.1 networkassociates.com
127.0.0.1 rads.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 sophos.com
127.0.0.1 symantec.com
127.0.0.1 trendmicro.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 www.avp.com
127.0.0.1 www.ca.com
127.0.0.1 www.f-secure.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.mcafee.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.my-etrust.com
127.0.0.1 www.nai.com
127.0.0.1 www.networkassociates.com
127.0.0.1 www.sophos.com
127.0.0.1 www.symantec.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.viruslist.com
Name W32/Mytob-AN
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Sends itself to email addresses found on the infected computer
* Drops more malware
* Forges the sender's email address
* Uses its own emailing engine
Aliases
* Net-Worm.Win32.Mytob.x
Prevalence (1-5) 2
Description
W32/Mytob-AN is a mass-mailing worm and backdoor Trojan that can be
controlled through the Internet Relay Chat (IRC) network.
W32/Mytob-AN is capable of spreading through email and through various
operating system vulnerabilities such as LSASS (MS04-011). Email sent by
W32/Mytob-AN has the following properties:
Subject line:
document
Good day
Mail Delivery System
Mail Transaction Failed
message
readme
Server Report
Status
Message text:
'This is a multi-part message in MIME format.'
'Mail transaction failed. Partial message is available.'
'The message contains Unicode characters and has been sent as a binary
attachment.'
'The message cannot be represented in 7-bit ASCII encoding and has been
sent as a binary attachment.'
'The original message was included as an attachment.'
'Here are your banks documents.'
The attached file consists of a base name followed by the extentions
PIF, SCR, EXE,CMD or ZIP. The worm may optionally create double
extensions where the first extension is DOC, TXT or HTM and the final
extension is PIF, SCR, EXE, CMD or ZIP.
W32/Mytob-AN harvests email addresses from files on the infected
computer and from the Windows address book.
Advanced
W32/Mytob-AN is a mass-mailing worm and backdoor Trojan that can be
controlled through the Internet Relay Chat (IRC) network.
When first run W32/Mytob-AN copies itself to the Windows system folder
as wpad.exe and creates the following registry entries:
HKCU\SYSTEM\CurrentControlSet\Control\Lsa\
MS PLUS INC
"wpad.exe"
HKCU\Software\Microsoft\OLE\
MS PLUS INC
"wpad.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
MS PLUS INC
"wpad.exe"
HKLM\SOFTWARE\Microsoft\Ole\
MS PLUS INC
"wpad.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
MS PLUS INC
"wpad.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
MS PLUS INC
"wpad.exe"
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
MS PLUS INC
"wpad.exe"
W32/Mytob-AN copies itself to the root folder as:
funny_pic.scr
my_photo2005.scr
see_this!!.scr
and drops a file called hellmsn.exe detected by Sophos Anti-Virus
products as W32/Mytob-D. This component attempts to spread the worm by
sending the aforementioned SCR files through Windows Messenger to all
online contacts.
W32/Mytob-AM also appends the following to the HOSTS file to deny access
to security related websites:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.trendmicro.com
W32/Mytob-AN is capable of spreading through email and through various
operating system vulnerabilities such as LSASS (MS04-011). Email sent by
W32/Mytob-AN has the following properties:
Subject line:
document
Good day
Mail Delivery System
Mail Transaction Failed
message
readme
Server Report
Status
Message text:
'This is a multi-part message in MIME format.'
'Mail transaction failed. Partial message is available.'
'The message contains Unicode characters and has been sent as a binary
attachment.'
'The message cannot be represented in 7-bit ASCII encoding and has been
sent as a binary attachment.'
'The original message was included as an attachment.'
'Here are your banks documents.'
The attached file consists of a base name followed by the extentions
PIF, SCR, EXE,CMD or ZIP. The worm may optionally create double
extensions where the first extension is DOC, TXT or HTM and the final
extension is PIF, SCR, EXE, CMD or ZIP.
W32/Mytob-AN harvests email addresses from files on the infected
computer and from the Windows address book. The worm avoids sending
email to addresses that contain the following:
.gov
.mil
accoun
acketst
admin
anyone
arin.
avp
berkeley
borlan
bsd
bsd
bugs
ca
certific
contact
example
feste
fido
foo.
fsf.
gnu
gold-certs
google
google
gov.
help
iana
ibm.com
icrosof
icrosoft
ietf
info
inpris
isc.o
isi.e
kernel
linux
linux
listserv
math
me
mit.e
mozilla
mydomai
no
nobody
nodomai
noone
not
nothing
ntivi
page
panda
pgp
postmaster
privacy
rating
rfc-ed
ripe.
root
ruslis
samples
secur
sendmail
service
site
soft
somebody
someone
sopho
submit
support
syma
tanford.e
the.bat
unix
unix
usenet
utgers.ed
webmaster
you
you
Name W32/Rizon-B
Type
* Worm
Affected operating systems
* Windows
Side effects
* Deletes files off the computer
Aliases
* Trojan.Win32.VB.uj
* W32/Rizon.worm
Prevalence (1-5) 2
Description
W32/Rizon-B is a worm that terminates processes and deletes files.
Advanced
W32/Rizon-B is a worm that terminates processes and deletes files.
W32/Rizon-B attempts to install itself in the Start Menu by copying
itself to the following folders:
C:\Documents and Settings\All Users\Menu
Start\Programma's\Opstarten\SoundMAX.exe
H:\Windows NT 5.1 Workstation Profile\Menu
Start\Programma's\Opstarten\SoundMAX.exe
The worm terminates the following processes:
rclnt.exe
rshelper.exe
srvany.exe
WUOLService.exe
wuser32.exe
W32/Rizon-B deletes the folders C:\NOVELL and C:\progra~1\divace~1 .
The worm makes a copy of the system file cmd.exe named temp.exe in the
Windows system folder.
Name W32/Alcra-A
Type
* Worm
How it spreads
* Peer-to-peer
Affected operating systems
* Windows
Side effects
* Modifies data on the computer
* Deletes files off the computer
* Steals information
* Drops more malware
* Downloads code from the internet
* Reduces system security
Aliases
* WORM_ALCAN.A
* W32.Alcra.A
* W32/Alcan.worm!p2p
* P2P-Worm.Win32.Alcan.a
* W32.Alcra.A
Prevalence (1-5) 2
Description
W32/Alcra-A is a worm for the Windows platform.
W32/Alcra-A drops the files temp.zip, p2pnetwork.exe and bszip.dll to
the Windows system folder. The temp.zip file is a zipped copy of the
worm. Bszip.dll is a clean file compression utility. Sophos's anti-virus
products detect p2pnetwork.exe as W32/Rbot-ACZ.
The worm copies itself into shared folders used by common Peer to Peer
(P2P) filesharing applications.
Advanced
W32/Alcra-A is a worm for the Windows platform.
When run, W32/Alcra-A copies itself to the following locations:
<Program files folder>/MsConfigs/MsConfigs.exe
/z.tmp
The worm then sets the following registry entry in order to run each
time a user logs on:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
MsConfigs
"<Program files folder>\MsConfigs\MsConfigs.exe"
W32/Alcra-A drops the files temp.zip, p2pnetwork.exe and bszip.dll to
the Windows system folder. The temp.zip file is a zipped copy of the
worm. Bszip.dll is a clean file compression utility. Sophos's anti-virus
products detect p2pnetwork.exe as W32/Rbot-ACZ.
W32/Alcra-A replaces the following system utilities with corrupt files:
cmd.com
netstat.com
ping.com
regedit.com
taskkill.com
tasklist.com
taskmgr.exe
tracert.com
The worm copies itself into shared folders used by common Peer to Peer
(P2P) filesharing applications where the path to the folder contains any
of the following:
Ares\My Shared Folder
Bearshare\Shared
Edonkey2000\Incoming
eMule\Incoming
gnucleus\downloads
grokster\my grokster
Kazaa\My Shared Folder
Limewire\Shared
morpheus\My Shared Folder
My Shared Folder
rapigator\share
shareaza\downloads
shared
W32/Alcra-A may also modify documents containing hyperlinks by changing
the hyperlink destination to point to a predefined URL.
Name W32/Qeds-A
Type
* Worm
How it spreads
* Infected files
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Trojan.Win32.VB.xb
* W32/Qeds
Prevalence (1-5) 2
Description
W32/Qeds-A is a virus for the Windows platform.
The virus will attempt to download and execute a file from one of four
predefined URLs.
W32/Qeds-A will disable Taskmanager and the registry tools before
copying itself to the Windows system folder, and to the following
locations as DHelp.dll.
<Windows folder>
<Windows system folder>
<Windows system folder>\wbem
Advanced
W32/Qeds-A is a virus for the Windows platform.
The virus will attempt to download and execute a file from one of four
predefined URLs.
W32/Qeds-A will disable Taskmanager and the registry tools before
copying itself to the Windows system folder, and to the following
locations as DHelp.dll.
<Windows folder>
<Windows system folder>
<Windows system folder>\wbem
W32/Qeds-A will terminate any processes associated of the following
executables and inject code into the files in order to cause itself to
be executed when the infected file is executed:
<Windows system folder>\dllcache\notepad.exe
<Windows system folder>\dllcache\\explorer.exe
<Windows system folder>\dllcache\\iexplore.exe
<Windows system folder>\notepad.exe
<Windows folder>\notepad.exe
<Windows folder>\explorer.exe
\Program Files\Internet Explorer\iexplore.exe
<path to file>\QQexternal.exe
<path to file>\TIMPlatform.exe
<path to file>\BugReport.exe
<path to file>\QQ.exe
<path to file>\QQGame.exe
W32/Qeds-A will create or modify the following registry entries:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
"1"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Management Instrumentation
"<executable name>"
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
"0"
Name W32/Rbot-ADA
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Reduces system security
Aliases
* W32/Sdbot.worm.gen
* WORM_RBOT.AZM
Prevalence (1-5) 2
Description
W32/Rbot-ADA is a worm which attempts to spread to remote network
shares. It also contains backdoor Trojan functionality, allowing
unauthorised remote access to the infected computer via IRC channels.
Advanced
W32/Rbot-ADA is a worm which attempts to spread to remote network
shares. It also contains backdoor Trojan functionality, allowing
unauthorised remote access to the infected computer via IRC channels.
W32/Rbot-ADA spreads to network shares with weak passwords and via
network security exploits as a result of the backdoor Trojan element
receiving the appropriate command from a remote user.
W32/Rbot-ADA copies itself to the Windows system folder with the
filename SCRTKFG.EXE and creates entries at the following locations in
the registry with the value "System CSRSS Patch" so as to run itself on
system startup, resetting these values times multiple times every
minute:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
W32/Rbot-ADA also sets the following registry entry to point to itself
with the same value, resetting it multiple times every minute:
HKCU\Software\Microsoft\OLE
W32/Rbot-ADA attempts to set the following registry entries every 2
minutes:
HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM = "N"
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous = "1"
W32/Rbot-ADA attempts to delete network shares on the host computer
every 2 minutes.
W32/Rbot-ADA attempts to terminate a large number of processes related
to security and anti-virus programs including REGEDIT.EXE, MSCONFIG.EXE
and NETSTAT.EXE.
W32/Rbot-ADA may attempt to log keystrokes to the file DHANFJF.XML in
the Windows system folder.
Name W32/Kipis-U
Type
* Worm
How it spreads
* Email attachments
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Sends itself to email addresses found on the infected computer
* Forges the sender's email address
* Uses its own emailing engine
* Reduces system security
Aliases
* Email-Worm.Win32.Kipis.u
* W32/Kipis.u@MM
* W32.Kipis.A@mm
* WORM_KIPIS.M
Prevalence (1-5) 2
Description
W32/Kipis-U is an email and network share worm and backdoor for the
Windows platform.
W32/Kipis-U sends itself by email to addresses found on the hard disk of
the infected computer.
Email sent by the worm has a subject line, message text and attachment
name in one of 6 languages, English, French, German, Russian, Spanish or
Ukrainian. The language is chosen according to the domain of the email
recipient.
W32/Kipis-U runs continuously in the background, providing a backdoor
server which allows a remote intruder to upload and run arbitrary
programs on the infected computer.
Advanced
W32/Kipis-U is an email and network share worm and backdoor for the
Windows platform.
W32/Kipis-U sends itself by email to addresses found on the hard disk of
the infected computer in files with the following extensions :
ADB
DBX
DHTM
DOC
EML
HTM
MSG
PAB
PHP
SHTM
TBB
TXT
UIN
WAB
XLS
The worm avoids sending email to addresses containing any of the
following strings:
@avp.
@bitdefen
@borlan
@drweb
@fido
@foo
@iana
@ietf
@kasper
@klamav
@license
@mcafee
@messagelab
@microsof
@mydomai
@nod3
@nodomai
@norman
@panda
@rfc-ed
@somedomai
@sopho
@symante
@usenet
@virusli
abuse@
accoun
admin@
antivir
anyone@
bsd
bugs@
contact@
contract@
f-secur
free-av
google
help@
info@
listserv
mailer-
mozzila
news@
newvir
nobody@
noone@
noreply
notice@
page@
pgp
podpiska@
postmaster@
privacy@
rar@
rating@
register@
root@
sales@
service@
site@
soft@
spm111@
suporte@
support@
technical@
the.bat
update@
virus@
webmaster@
winrar
winzip
you@
Email sent by the worm has a subject line, message text and attachment
name in one of 6 languages, English, French, German, Russian, Spanish or
Ukrainian. The language is chosen according to the domain of the email
recipient.
W32/Kipis-U also attempts to spread to shared folders by copying itself
to any folder that has 'share' or 'microsof' in its name. The worm uses
the following filenames when copying to shared folders:
Land Attack(source and files).exe
DDoS bot(src)..scr
Forum Hack.txt.scr
Winamp 6(plugins).exe
Crack collection.scr
NLP.scr
Hack Unix Server(info).scr
Screensaver for Hackers.scr
Windows 2000(source code).scr
Hack Chat.exe
Kaspersy Antivirus Key(ver.5.xx,Pro,Personal).exe
W32/Kipis-U runs continuously in the background, providing a backdoor
server which allows a remote intruder to upload and run arbitrary
programs on the infected computer.
When first run W32/Kipis-U copies itself to:
<Windows folder>\regedit.com
<Windows system folder>\Microsoft\iexplore.exe
The following registry entry is created to run iexplore.exe on startup:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe <Windows system folder>\Microsoft\iexplore.exe
The following registry entry is also set:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WOW\boot
shell
<Windows system folder>\Microsoft\iexplore.exe
W32/Kipis-U attempts to disable services that have the follwing strings
in their names:
anvir
apv
avc
aveng
avg
avk
avp
avw
avx
blackd
blacki
blss
cfi
clean
defwat
drweb
egedit.ex
ewall
fsa
fsm
guard
hijack
hxde
ilemon
kerio
klagent
klamav
luacomserv
minilog.
monitor
mooli
mosta
mpf
nav
neomon
netarm
netspy
nisse
nisum
nod3
norman
normis
norton
outpos
pav
pavsrv
pcc
protect
proxy.
rav
rfw
spider
svc.
syman
taskmgr
tmon
trojan
updat
upgrad
virus
vsmon
zapro.
zonalm
zonea
Name W32/Agobot-SN
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Modifies data on the computer
* Steals information
* Reduces system security
* Records keystrokes
* Installs itself in the Registry
Aliases
* W32/Gaobot.worm.gen.j
Prevalence (1-5) 2
Description
W32/Agobot-SN is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Agobot-SN spreads to other network computers by exploiting common
buffer overflow vulnerabilites, including RPC-DCOM (MS04-012) and by
copying itself to network shares protected by weak passwords.
W32/Agobot-SN runs continuously in the background, providing a backdoor
server which allows a remote intruder to gain access and control over
the computer via IRC channels.
Advanced
W32/Agobot-SN is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Agobot-SN spreads to other network computers by exploiting common
buffer overflow vulnerabilites, including RPC-DCOM (MS04-012) and by
copying itself to network shares protected by weak passwords.
W32/Agobot-SN runs continuously in the background, providing a backdoor
server which allows a remote intruder to gain access and control over
the computer via IRC channels.
When first run W32/Agobot-SN copies itself to <System>\hmlsvc32.exe.
The following registry entries are created to run hmlsvc32.exe on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HPl Services
hmlsvc32.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HPl Services
hmlsvc32.exe
W32/Agobot-SN modifies the HOSTS file, changing the URL to IP mappings
for selected websites, thus preventing normal access to these sites, by
adding the following entries:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
Name Troj/Molehut-A
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
Aliases
* Trojan.Win32.Mole.f
* MoleHut
Prevalence (1-5) 2
Description
Troj/Molehut-A is a Trojan for the Windows platform.
Troj/Molehut-A will move itself to the Windows system folder as System.
Advanced
Troj/Molehut-A is a Trojan for the Windows platform.
Troj/Molehut-A will move itself to the Windows system folder as System.
The Trojan will then create several entries under the following registry
entry:
HKCU\Software\Microsoft\Mole
The Trojan will also create the following registry entry:
HKLM\Software\Policies\Microsoft\Internet
Explorer\Infodelivery\Restrictions
NoSplash
1
Name W32/Mytob-AK
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Sends itself to email addresses found on the infected computer
* Forges the sender's email address
* Uses its own emailing engine
Aliases
* WORM_MYTOB.BT
Prevalence (1-5) 2
Description
W32/Mytob-AK is a mass-mailing worm with IRC backdoor functionality for
the windows platform..
W32/Mytob-AK is capable of spreading through operating system
vulnerabilities, including the LSASS (MS04-011) exploit.
W32/Mytob-AK can harvest email addresses from files on the infected
computer and from the Windows address book.
Emails sent by the worm have the following characteristics:
Subject line:
Error
Status
Server Report
Mail Transaction Failed
Mail Delivery System
hello
Good day
<blank>
Message body:
The message contains Unicode characters and has been sent as a binary
attachment.
Mail transaction failed. Partial message is available.
The message cannot be represented in 7-bit ASCII encoding and has been
sent as a binary attachment.
The original message was included as an attachment,
Here are your bank documents
Advanced
W32/Mytob-AK is a mass-mailing worm with IRC backdoor functionality for
the windows platform..
W32/Mytob-AK is capable of spreading through operating system
vulnerabilities, including the LSASS (MS04-011) exploit. The following
patches for the operating system vulnerabilities exploited by
W32/Mytob-AK can be obtained from the Microsoft website:
MS04-011
W32/Mytob-AK can harvest email addresses from files on the infected
computer and from the Windows address book.
Emails sent by the worm have the following characteristics:
Subject line:
Error
Status
Server Report
Mail Transaction Failed
Mail Delivery System
hello
Good day
<blank>
Message body:
The message contains Unicode characters and has been sent as a binary
attachment.
Mail transaction failed. Partial message is available.
The message cannot be represented in 7-bit ASCII encoding and has been
sent as a binary attachment.
The original message was included as an attachment,
Here are your bank documents
W32/Mytob-AK copies itself to the Windows system folder as
"taskgmr32.exe" or "t4skmgr.exe" and creates the following registry
entries in order to run automatically on computer logon:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
WINTASK
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
WINTASK
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
WINTASK
The worm also creates the following registry entries to point to itself:
HKCU\SYSTEM\CurrentControlSet\Control\Lsa\
WINTASK
HKCU\Software\Microsoft\OLE\
WINTASK
HKLM\SOFTWARE\Microsoft\Ole\
WINTASK
W32/Mytob-AK copies itself to the root folder with the following
filenames:
funny_pic.scr
my_photo2005.scr
see_this!!.scr
W32/Mytob-AK blocks access to security-related websites by writing the
following entries to the Windows hosts file:
127.0.0.1 avp.com
127.0.0.1 ca.com
127.0.0.1 customer.symantec.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 mast.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 nai.com
127.0.0.1 networkassociates.com
127.0.0.1 rads.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 sophos.com
127.0.0.1 symantec.com
127.0.0.1 trendmicro.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 www.avp.com
127.0.0.1 www.ca.com
127.0.0.1 www.f-secure.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.mcafee.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.my-etrust.com
127.0.0.1 www.nai.com
127.0.0.1 www.networkassociates.com
127.0.0.1 www.sophos.com
127.0.0.1 www.symantec.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.viruslist.com
W32/Mytob-AK may create a new file detected by Sophos as W32/Mytob-D.
Name Troj/RNWatch-A
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
Prevalence (1-5) 2
Description
Troj/RNWatch-A is a backdoor Trojan for the Windows platforms.
Advanced
Troj/RNWatch-A is a backdoor Trojan for the Windows platforms.
Once executed Troj/RNWatch-A copies itself to the Windows system folder
with the filenames winierun.exe and bfwinier.exe, and in order to be
able to run automatically when Windows starts up sets the registry
entries:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
WinIeRun
"winierun.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WinIeRun
"winierun.exe"
Name W32/Agobot-ATK
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Modifies data on the computer
* Deletes files off the computer
* Steals information
Aliases
* WORM_AGOBOT.ATK
* W32.HLLW.Gaobot
* W32/Sdbot.worm.gen.bj
Prevalence (1-5) 2
Description
W32/Agobot-ATK is a network worm with backdoor functionality for the
Windows platform.
W32/Agobot-ATK spreads through network shares protected by weak
passwords and through various unpatched operating system vulnerabilities.
Advanced
W32/Agobot-ATK is a network worm with backdoor functionality for the
Windows platform.
When run, W32/Agobot-ATK copies itself to the Windows system folder as
hmlsvc32.exe and sets the following registry entries in order to run
each time a user logs on:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HPl Services
hmlsvc32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HPl Services
hmlsvc32.exe
The backdoor component joins a predetermined IRC channel and awaits
commands from a remote user.
W32/Agobot-ATK spreads through network shares protected by weak
passwords and through various unpatched operating system vulnerabilities.
Name W32/Banish-A
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Deletes files off the computer
* Uses its own emailing engine
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Prevalence (1-5) 2
Description
W32/Banish-A is a mass-mailing worm.
Emails sent by the worm have the following characteristics:
Subject line:
OK. Read the attached instructions to solve the problem.
Here are the details.
Re: Thank you for your choice.
Thank you for shopping. This mail contains your invoice.
Thank you. Your credit card was processed successfully.
Attached file:
A filename chosen from those in the current user's "Recent Documents"
folder.
W32/Banish-A also spreads by exploiting the following vulnerabilities:
LSASS (MS04-011)
IIS5 (MS04-011)
W32/Banish-A contains the following message:
ExiliuM SerieS A
In honour to all the people that were, are, or will be forced
to leave their homelands. NO MORE EXILED PEOPLE, NO MORE WARS
(c)ThE ExpaTRiatE 2005
Advanced
W32/Banish-A is a mass-mailing worm.
W32/Banish-A submits queries to popular search engines in order to find
email addresses to which to send itself.
Emails sent by the worm have the following characteristics:
Subject line:
OK. Read the attached instructions to solve the problem.
Here are the details.
Re: Thank you for your choice.
Thank you for shopping. This mail contains your invoice.
Thank you. Your credit card was processed successfully.
Attached file:
A filename chosen from those in the current user's "Recent Documents"
folder.
W32/Banish-A also spreads by exploiting the following vulnerabilities:
LSASS (MS04-011)
IIS5 (MS04-011)
When first run, W32/Banish-A copies itself to one of the following
filenames in the Windows folder:
smss.exe
lsass.exe
csrss.exe
services.exe
winlogon.exe
The worm installs itself as a service with the name "Windows Object
Manager". The other characteristics of this service are copied from one
of the already-existing services, chosen at random.
W32/Banish-A deletes any files found in the "repair" subfolder of the
Windows folder.
W32/Banish-A contains the following message:
ExiliuM SerieS A
In honour to all the people that were, are, or will be forced
to leave their homelands. NO MORE EXILED PEOPLE, NO MORE WARS
(c)ThE ExpaTRiatE 2005
Name W32/Rbot-UH
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Uses its own emailing engine
* Reduces system security
* Records keystrokes
* Installs itself in the Registry
Aliases
* Backdoor.Win32.Rbot.gen
Prevalence (1-5) 2
Description
W32/Rbot-UH is a worm with backdoor functionality.
W32/Rbot-UH is capable of spreading to computers on the local network
protected by weak passwords after receiving the appropriate backdoor
command.
W32/Rbot-UH will attempt to spread by exploiting the DCOM (MS04-012) and
LSASS (MS04-011) software vulnerabilities and to computers running
Microsoft SQL servers with weak passwords
Advanced
W32/Rbot-UH is a worm with backdoor functionality.
W32/Rbot-UH is capable of spreading to computers on the local network
protected by weak passwords after receiving the appropriate backdoor
command.
W32/Rbot-UH will attempt to spread by exploiting the following
vulnerabilities:
DCOM (MS04-012)
LSASS (MS04-011)
Microsoft SQL servers with weak passwords.
When first run, W32/Rbot-UH copies itself to the Windows system folder
as MCAFESHIELD.EXE and runs this copy of the worm. The copy will then
attempt to delete the original file. In order to run each time a user
logs in, W32/Rbot-UH will set the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Mcafee Auto Protect
mcafeshield.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Mcafee Auto Protect
mcafeshield.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Mcafee Auto Protect
mcafeshield.exe
The worm runs continuously in the background providing backdoor access
to the infected computer.
The backdoor component of W32/Rbot-UH can be used to:
Initiate Distributed Denial-of-Service (DDoS) attacks.
Redirect TCP and SOCKS4 traffic.
Provide a remote login command shell.
Download, upload, delete and execute files.
Set up an HTTP, TFTP and FTP file server.
Steal passwords (including PayPal account information).
Log key presses and clipboard data.
Capture screenshots, webcam pictures and videos.
List and kill processes.
Stop, start, pause and delete services.
Open and close vulnerabilities.
Port scan for vulnerabilities on other remote computers.
Send emails as specified by the remote user.
Flush the DNS and ARP caches.
Shut down and reboot the computer.
Add and delete network shares, groups and users.
Sniff network traffic for passwords.
Send Net Messages.
W32/Rbot-UH can be used to steal registration and key details from
several computer games and applications including:
Battlefield 1942
Battlefield 1942 (Road To Rome)
Battlefield 1942 (Secret Weapons of WWII)
Battlefield Vietnam
Black and White
Chrome
Command and Conquer: Generals
Command and Conquer: Generals (Zero Hour)
Command and Conquer: Red Alert
Command and Conquer: Red Alert 2
Command and Conquer: Tiberian Sun
Counter-Strike
Far Cry
FIFA 2002
FIFA 2003
Freedom Force
Global Operations
Ground Control II
Gunman Chronicles
Half-Life
Hidden & Dangerous 2
IGI 2: Covert Strike
Industry Giant 2
James Bond 007: Nightfire
Joint Operations: Typhoon Rising
Legends of Might and Magic
Medal of Honor: Allied Assault
Medal of Honor: Allied Assault: Breakthrough
Medal of Honor: Allied Assault: Spearhead
Microsoft Windows Product ID
Nascar Racing 2002
Nascar Racing 2003
Need For Speed Hot Pursuit 2
Need For Speed: Underground
Neverwinter Nights
Neverwinter Nights (Hordes of the Underdark)
Neverwinter Nights (Shadows of Undrentide)
NHL 2002
NHL 2003
NOX
Rainbow Six III RavenShield
Shogun: Total War: Warlord Edition
Soldier of Fortune II - Double Helix
Soldiers Of Anarchy
The Gladiators
Unreal Tournament 2003
Unreal Tournament 2004
W32/Rbot-UH will alter the following registry entries in order to
enable/disable DCOM and open/close restrictions on IPC$ shares:
HKLM\Software\Microsoft\Ole\EnableDCOM
HKLM\System\CurrentControlSet\Control\Lsa\restrictanonymous
W32/Rbot-UH is capable of altering the following registry entry to
restrict anonymous enumeration of SAM accounts:
HKLM\System\CurrentControlSet\Control\Lsa\restrictanonymousSAM
W32/Rbot-UH can add and delete network shares and users on the infected
computer. The worm can also change the network logon rights of accounts
in the local system policy.
Name W32/Sdbot-YT
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
Aliases
* Backdoor.Win32.SdBot.yn
* W32/Sdbot.worm.gen.i
* W32.Randex
* WORM_SDBOT.BVI
Prevalence (1-5) 2
Description
W32/Sdbot-YT is a network worm with IRC backdoor functionality.
W32/Sdbot-YT allows a remote attacker to control the infected computer
through an IRC connection.
Advanced
W32/Sdbot-YT is a worm with IRC backdoor functionality for the Windows
platform.
W32/Sdbot-YT spreads to other network computers infected with certain
types of malware and by copying itself to network shares protected by
weak passwords.
W32/Sdbot-YT runs continuously in the background, providing a backdoor
server which allows a remote intruder to gain access and control over
the computer via IRC channels.
When first run W32/Sdbot-YT copies itself to
<Windows system folder>\aim.exe.
The following registry entries are created to run aim.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
AOL Instant Messanger
aim.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
AOL Instant Messanger
aim.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
AOL Instant Messanger
aim.exe
Name Troj/Zlob-H
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Downloader-XC
Prevalence (1-5) 2
Description
Troj/Zlob-H is a downloader Trojan.
Troj/Zlob-H attempts to stealth itself by injecting itself into
EXPLORER.EXE or by registering itself as a service process.
Troj/Zlob-H attempts to download information from one of the following
websites:
dumpserv.com
zxserv0.com
vnp7s.net
Troj/Zlob-H will also try to download files from these websites to the
LogFiles subfolder of the Windows system with a filename based on the
information it downloaded previously, and it may then execute the
downloaded file.
Advanced
Troj/Zlob-H is a downloader Trojan.
Troj/Zlob-H creates the following entry in the registry so as to run
itself on system startup, assuming it is called MSMSGS.EXE in a suitable
folder:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
notepad.exe
"msmsgs.exe"
Troj/Zlob-H also adds MSMSGS.EXE to the following registry entry so as
to run itself on system startup:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Troj/Zlob-H creates a registry entry at the following location:
HKLM\Software\Microsoft\Windows\CurrentVersion
uuid
Troj/Zlob-H attempts to stealth itself by injecting itself into
EXPLORER.EXE or by registering itself as a service process.
Troj/Zlob-H attempts to download information from one of the following
websites:
dumpserv.com
zxserv0.com
vnp7s.net
Troj/Zlob-H will also try to download files from these websites to the
LogFiles subfolder of the Windows system with a filename based on the
information it downloaded previously, and it may then execute the
downloaded file.
--- MultiMail/Win32 v0.43
* Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)
|