Tillbaka till svenska Fidonet
English   Information   Debug  
TRAPDOOR   0/19
TREK   0/755
TUB   0/290
UFO   0/40
UNIX   0/1316
USA_EURLINK   0/102
USR_MODEMS   0/1
VATICAN   0/2740
VIETNAM_VETS   0/14
VIRUS   0/378
VIRUS_INFO   0/201
VISUAL_BASIC   0/473
WHITEHOUSE   0/5187
WIN2000   0/101
WIN32   0/30
WIN95   0/4289
WIN95_OLD1   0/70272
WINDOWS   0/1517
WWB_SYSOP   0/419
WWB_TECH   0/810
ZCC-PUBLIC   0/1
ZEC   4

 
4DOS   0/134
ABORTION   0/7
ALASKA_CHAT   0/506
ALLFIX_FILE   0/1313
ALLFIX_FILE_OLD1   0/7997
ALT_DOS   0/152
AMATEUR_RADIO   0/1039
AMIGASALE   0/14
AMIGA   0/331
AMIGA_INT   0/1
AMIGA_PROG   0/20
AMIGA_SYSOP   0/26
ANIME   0/15
ARGUS   0/924
ASCII_ART   0/340
ASIAN_LINK   0/651
ASTRONOMY   0/417
AUDIO   0/92
AUTOMOBILE_RACING   0/105
BABYLON5   0/17862
BAG   135
BATPOWER   0/361
BBBS.ENGLISH   0/382
BBSLAW   0/109
BBS_ADS   0/5290
BBS_INTERNET   0/507
BIBLE   0/3563
BINKD   0/1119
BINKLEY   0/215
BLUEWAVE   0/2173
CABLE_MODEMS   0/25
CBM   0/46
CDRECORD   0/66
CDROM   0/20
CLASSIC_COMPUTER   0/378
COMICS   0/15
CONSPRCY   0/899
COOKING   33421
COOKING_OLD1   0/24719
COOKING_OLD2   0/40862
COOKING_OLD3   0/37489
COOKING_OLD4   0/35496
COOKING_OLD5   9370
C_ECHO   0/189
C_PLUSPLUS   0/31
DIRTY_DOZEN   0/201
DOORGAMES   0/2065
DOS_INTERNET   0/196
duplikat   6002
ECHOLIST   0/18295
EC_SUPPORT   0/318
ELECTRONICS   0/359
ELEKTRONIK.GER   1534
ENET.LINGUISTIC   0/13
ENET.POLITICS   0/4
ENET.SOFT   0/11701
ENET.SYSOP   33945
ENET.TALKS   0/32
ENGLISH_TUTOR   0/2000
EVOLUTION   0/1335
FDECHO   0/217
FDN_ANNOUNCE   0/7068
FIDONEWS   24159
FIDONEWS_OLD1   0/49742
FIDONEWS_OLD2   0/35949
FIDONEWS_OLD3   0/30874
FIDONEWS_OLD4   0/37224
FIDO_SYSOP   12852
FIDO_UTIL   0/180
FILEFIND   0/209
FILEGATE   0/212
FILM   0/18
FNEWS_PUBLISH   4436
FN_SYSOP   41707
FN_SYSOP_OLD1   71952
FTP_FIDO   0/2
FTSC_PUBLIC   0/13613
FUNNY   0/4886
GENEALOGY.EUR   0/71
GET_INFO   105
GOLDED   0/408
HAM   0/16074
HOLYSMOKE   0/6791
HOT_SITES   0/1
HTMLEDIT   0/71
HUB203   466
HUB_100   264
HUB_400   39
HUMOR   0/29
IC   0/2851
INTERNET   0/424
INTERUSER   0/3
IP_CONNECT   719
JAMNNTPD   0/233
JAMTLAND   0/47
KATTY_KORNER   0/41
LAN   0/16
LINUX-USER   0/19
LINUXHELP   0/1155
LINUX   0/22112
LINUX_BBS   0/957
mail   18.68
mail_fore_ok   249
MENSA   0/341
MODERATOR   0/102
MONTE   0/992
MOSCOW_OKLAHOMA   0/1245
MUFFIN   0/783
MUSIC   0/321
N203_STAT   930
N203_SYSCHAT   313
NET203   321
NET204   69
NET_DEV   0/10
NORD.ADMIN   0/101
NORD.CHAT   0/2572
NORD.FIDONET   189
NORD.HARDWARE   0/28
NORD.KULTUR   0/114
NORD.PROG   0/32
NORD.SOFTWARE   0/88
NORD.TEKNIK   0/58
NORD   0/453
OCCULT_CHAT   0/93
OS2BBS   0/787
OS2DOSBBS   0/580
OS2HW   0/42
OS2INET   0/37
OS2LAN   0/134
OS2PROG   0/36
OS2REXX   0/113
OS2USER-L   207
OS2   0/4786
OSDEBATE   0/18996
PASCAL   0/490
PERL   0/457
PHP   0/45
POINTS   0/405
POLITICS   0/29554
POL_INC   0/14731
PSION   103
R20_ADMIN   1123
R20_AMATORRADIO   0/2
R20_BEST_OF_FIDONET   13
R20_CHAT   0/893
R20_DEPP   0/3
R20_DEV   399
R20_ECHO2   1379
R20_ECHOPRES   0/35
R20_ESTAT   0/719
R20_FIDONETPROG...
...RAM.MYPOINT
  0/2
R20_FIDONETPROGRAM   0/22
R20_FIDONET   0/248
R20_FILEFIND   0/24
R20_FILEFOUND   0/22
R20_HIFI   0/3
R20_INFO2   3249
R20_INTERNET   0/12940
R20_INTRESSE   0/60
R20_INTR_KOM   0/99
R20_KANDIDAT.CHAT   42
R20_KANDIDAT   28
R20_KOM_DEV   112
R20_KONTROLL   0/13300
R20_KORSET   0/18
R20_LOKALTRAFIK   0/24
R20_MODERATOR   0/1852
R20_NC   76
R20_NET200   245
R20_NETWORK.OTH...
...ERNETS
  0/13
R20_OPERATIVSYS...
...TEM.LINUX
  0/44
R20_PROGRAMVAROR   0/1
R20_REC2NEC   534
R20_SFOSM   0/341
R20_SF   0/108
R20_SPRAK.ENGLISH   0/1
R20_SQUISH   107
R20_TEST   2
R20_WORST_OF_FIDONET   12
RAR   0/9
RA_MULTI   106
RA_UTIL   0/162
REGCON.EUR   0/2056
REGCON   0/13
SCIENCE   0/1206
SF   0/239
SHAREWARE_SUPPORT   0/5146
SHAREWRE   0/14
SIMPSONS   0/169
STATS_OLD1   0/2539.065
STATS_OLD2   0/2530
STATS_OLD3   0/2395.095
STATS_OLD4   0/1692.25
SURVIVOR   0/495
SYSOPS_CORNER   0/3
SYSOP   0/84
TAGLINES   0/112
TEAMOS2   0/4530
TECH   0/2617
TEST.444   0/105
Möte VIRUS, 378 texter
 lista första sista föregående nästa
Text 134, 2074 rader
Skriven 2005-08-20 16:17:00 av KURT WISMER (1:123/140)
Ärende: News, August 20 2005
============================
[cut-n-paste from sophos.com]

Name   W32/Zotob-A

Type  
    * Worm

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Reduces system security
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Aliases  
    * Net-Worm.Win32.Mytob.cd
    * W32/Zotob.worm
    * WORM_ZOTOB.A

Prevalence (1-5) 2

Description
W32/Zotob-A is a worm and backdoor Trojan for the Windows platform.

W32/Zotob-A spreads to other network computers by exploiting common 
buffer overflow vulnerabilites, including LSASS (MS04-011) and PnP 
(MS05-039).

W32/Zotob-A runs continuously in the background, providing a backdoor 
server which allows a remote intruder to gain access and control over 
the computer.

Advanced
W32/Zotob-A is a worm and backdoor Trojan for the Windows platform.

W32/Zotob-A spreads to other network computers by exploiting common 
buffer overflow vulnerabilites, including LSASS (MS04-011) and PnP 
(MS05-039).

W32/Zotob-A runs continuously in the background, providing a backdoor 
server which allows a remote intruder to gain access and control over 
the computer.

When first run W32/Zotob-A copies itself to <System>\botzor.exe.

The following registry entries are created to run botzor.exe on 
startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WINDOWS SYSTEM
botzor.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
WINDOWS SYSTEM
botzor.exe

W32/Zotob-A also sets the following registry entry

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4

The worm may drop a file 2pac.txt. This is a text file that may be 
safely deleted.

W32/Zotob-A also appends the following to the system HOSTS file in 
order to prevent access to certain websites:

Botzor2005 Made By .... Greetz to good friend Coder. Based On HellBot3
MSG to avs: the first av who detect this worm will be the first 
killed in the next 24hours!!!
n127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 pandasoftware.com
127.0.0.1 www.pandasoftware.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.microsoft.com
127.0.0.1 microsoft.com
127.0.0.1 www.virustotal.com
127.0.0.1 virustotal.com
127.0.0.1 www.amazon.com
127.0.0.1 www.amazon.co.uk
127.0.0.1 www.amazon.ca
127.0.0.1 www.amazon.fr
127.0.0.1 www.paypal.com
127.0.0.1 paypal.com
127.0.0.1 moneybookers.com
127.0.0.1 www.moneybookers.com
127.0.0.1 www.ebay.com
127.0.0.1 ebay.com

Patches for the operating system vulnerabilities exploited by 
W32/Zotob-A can be obtained from Microsoft at:

MS04-011
MS05-039





Name   W32/Antix-A

Type  
    * Spyware Worm

How it spreads  
    * Chat programs

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Allows others to access the computer
    * Steals information
    * Downloads code from the internet

Aliases  
    * Backdoor.Win32.VBbot.i
    * W32.Kelvir

Prevalence (1-5) 2

Description
W32/Antix-A is an MSN Messenger worm with backdoor functionality for 
the Windows platform.

W32/Antix-A sends a message to all MSN Messenger contacts with a link 
to a site that contains a copy of the worm.

The message will be one of the following:

Hej, did you download the new MSN yet? :D
lol check out MSN Plus...it ownz! :o
Automessage : Download MSN Plus:
lol, this is awsome...:|
Want more msn emotions? :D
MSN 8.0 Beta released....get it here :D
Hej, wanna update your Messenger :D ?
dude, this is awesome... a must see! :D
lol I just updated my Messenger and I must say IT ROCKS!!
Check this out mate, it roxxx :D !!

Advanced
W32/Antix-A is a worm with backdoor functionality for the Windows 
platform that spreads through the MSN Messenger Service as a result 
of the backdoor command.

W32/Antix-A sends a message to all MSN Messenger contacts with a link 
to a site that contains a copy of the worm.

The message will be one of the following:

Hej, did you download the new MSN yet? :D
lol check out MSN Plus...it ownz! :o
Automessage : Download MSN Plus:
lol, this is awsome...:|
Want more msn emotions? :D
MSN 8.0 Beta released....get it here :D
Hej, wanna update your Messenger :D ?
dude, this is awesome... a must see! :D
lol I just updated my Messenger and I must say IT ROCKS!!
Check this out mate, it roxxx :D !!

When first run W32/Antix-A copies itself to 
<System>\<newfolder>\kernel32.exe where <newfolder> is a folder 
created by the worm with the name constructed from the randomly 
chosen characters similar to the <bpzjkwrdd>.

W32/Antix-A will attempt to disable Anti-virus and firewall processes 
and services.

W32/Antix-A includes functionality to silently download, install and 
run new software including an update of itself, initiate a proxy 
server on the infected computer, steal passwords, act as a flooder.





Name   W32/Rbot-ALA

Type  
    * Spyware Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Allows others to access the computer
    * Deletes files off the computer
    * Steals information
    * Drops more malware

Prevalence (1-5) 2

Description
W32/Rbot-ALA is a network worm with backdoor Trojan functionality for 
the Windows platform.

W32/Rbot-ALA spreads using a variety of techniques including 
exploiting weak passwords on computers through exploiting various 
operating system vulnerabilities.

Advanced
W32/Rbot-ALA is a network worm with backdoor Trojan functionality for 
the Windows platform.

When run, the worm connects to a predetermined IRC server and awaits 
commands from remote attackers. The backdoor component of 
W32/Rbot-ALA can be instructed by a remote user to perform various 
tasks. The worm attempts to determine the external IP address of the 
infected computer by connecting to several websites capable of 
determining the the presence of HTTP proxies and the level of 
anonymity.

W32/Rbot-ALA spreads using a variety of techniques including 
exploiting weak passwords on computers through exploiting various 
operating system vulnerabilities.

The worm may create and load a system driver named winmon.sys. The 
driver file is detected by Sophos's anti-virus products as 
Troj/Rootkit-Y.





Name   W32/Tilebot-F

Type  
    * Spyware Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Steals information
    * Downloads code from the internet
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Aliases  
    * Backdoor.Win32.SdBot.acf

Prevalence (1-5) 2

Description
W32/Tilebot-F is a worm and IRC backdoor Trojan for the Windows 
platform.

W32/Tilebot-F spreads to other network computers by exploiting common 
buffer overflow vulnerabilites, including LSASS (MS04-011) and PnP 
(MS05-039).

W32/Tilebot-F runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

W32/Tilebot-F includes functionality to:

- carry out DDoS flooder attacks
- silently download, install and run new software
- access the internet and communicate with a remote server via HTTP
- steal information from the computer including user account passwords from the
protected storage areas

When first run W32/Tilebot-F copies itself to <Windows>\smsc.exe and 
creates the file <System>\rdriv.sys.

The file rdriv.sys is detected as Troj/Rootkit-W.

The following patches for the operating system vulnerabilities 
exploited by W32/Tilebot-F can be obtained from the Microsoft website:

MS04-011
MS05-039

Advanced
W32/Tilebot-F is a worm and IRC backdoor Trojan for the Windows 
platform.

W32/Tilebot-F spreads to other network computers by exploiting common 
buffer overflow vulnerabilites, including LSASS (MS04-011) and PnP 
(MS05-039).

W32/Tilebot-F runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

W32/Tilebot-F includes functionality to:

- carry out DDoS flooder attacks
- silently download, install and run new software
- access the internet and communicate with a remote server via HTTP
- steal information from the computer including user account passwords from the
protected storage areas

When first run W32/Tilebot-F copies itself to <Windows>\smsc.exe and 
creates the file <System>\rdriv.sys.

The file rdriv.sys is detected as Troj/Rootkit-W.

The file smsc.exe is registered as a new system driver service named 
"WINSMSC", with a display name of "System Messenger Service" and a 
startup type of automatic, so that it is started automatically during 
system startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\WINSMSC

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINSMSC

The file rdriv.sys is registered as a new system driver service named 
"rdriv", with a display name of "rdriv". Registry entries are created 
under:

HKLM\SYSTEM\CurrentControlSet\Services\rdriv\

W32/Tilebot-F attempts to terminate services with the following names 
in order to disrupt various security processes including the Windows 
firewall and Windows critical updates:

Tlntsvr
RemoteRegistry
Messenger
wscsvc

W32/Tilebot-F sets the following registry entries, disabling the 
automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4

Registry entries are set as follows:

HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1

HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\
Microsoft\windows\CurrentVersion\Internet Settings
ProxyEnable
1

Registry entries are created under:

HKLM\SOFTWARE\Microsoft\Security Center\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\

The following patches for the operating system vulnerabilities 
exploited by W32/Tilebot-F can be obtained from the Microsoft website:

MS04-011
MS05-039





Name   W32/Rbot-ALI

Type  
    * Spyware Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Downloads code from the internet
    * Records keystrokes
    * Installs itself in the Registry
    * Used in DOS attacks

Aliases  
    * Backdoor.Win32.Rbot.yp

Prevalence (1-5) 2

Description
W32/Rbot-ALI is a worm and IRC backdoor Trojan for the Windows 
platform.

W32/Rbot-ALI spreads by copying itself to network shares protected by 
weak passwords.

W32/Rbot-ALI runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

W32/Rbot-ALI includes functionality to:

- add/delete network shared folders
- steal confidential information
- carry out DDoS flooder attacks
- provide a proxy server
- access the internet and communicate with a remote server via HTTP

Advanced
W32/Rbot-ALI is a worm and IRC backdoor Trojan for the Windows 
platform.

W32/Rbot-ALI spreads by copying itself to network shares protected by 
weak passwords.

W32/Rbot-ALI runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

W32/Rbot-ALI includes functionality to:

- add/delete network shared folders
- steal confidential information
- carry out DDoS flooder attacks
- provide a proxy server
- access the internet and communicate with a remote server via HTTP

When first run W32/Rbot-ALI moves itself to <System>\windir32.exe.

The following registry entries are created to run the worm on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Windows DLL Services Configuration
windir32.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Windows DLL Services Configuration
windir32.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Windows DLL Services Configuration
windir32.exe





Name   Troj/RKPort-Fam

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Reduces system security

Prevalence (1-5) 2

Description
Troj/RKPort-Fam is a family of kernel-mode driver rootkits.

Members of Troj/RKPort-Fam are capable of hiding information about 
activity on certain ports, providing stealthing by patching the 
kernel service descriptor table.





Name   W32/Tilebot-Z

Type  
    * Spyware Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Allows others to access the computer
    * Steals information
    * Drops more malware
    * Downloads code from the internet
    * Reduces system security

Aliases  
    * Backdoor.Win32.SdBot.aad

Prevalence (1-5) 2

Description
W32/Tilebot-Z is a worm which attempts to spread to remote network 
shares. It also contains backdoor Trojan functionality, allowing 
unauthorized remote access to the infected computer via IRC channels.

W32/Tilebot-Z spreads to network shares with weak passwords as a 
result of the backdoor Trojan element receiving the appropriate 
command from a remote user.

W32/Tilebot-Z allows a remote user to perform a wide range of actions 
on the infected computer including downloading further files, setting 
registry entries and stealing information from the computer including 
from protected storage areas.

Advanced
W32/Tilebot-Z is a worm which attempts to spread to remote network 
shares. It also contains backdoor Trojan functionality, allowing 
unauthorized remote access to the infected computer via IRC channels.

W32/Tilebot-Z spreads to network shares with weak passwords as a 
result of the backdoor Trojan element receiving the appropriate 
command from a remote user.

W32/Tilebot-Z copies itself to the Windows folder with the filename 
sounddv.exe and creates a service named "WIN32SOUND" in order to run 
itself on system startup, to which it gives the fake description 
"WIN32 Sound Drivers."

W32/Tilebot-Z allows a remote user to perform a wide range of actions 
on the infected computer including downloading further files, setting 
registry entries and stealing information from the computer including 
from protected storage areas.

W32/Tilebot-Z attempts to terminate services with the following names 
in order to disrupt various security processes including the Windows 
firewall and Windows critical updates:

Tlntsvr
RemoteRegistry
Messenger
SharedAccess
wscsvc

W32/Tilebot-Z attempts to set the following registry entries to 
disrupt various security processes:

HKLM\SOFTWARE\Microsoft\Security Center
UpdatesDisableNotify
1

HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusDisableNotify
1

HKLM\SOFTWARE\Microsoft\Security Center
FirewallDisableNotify
1

HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusOverride
1

HKLM\SOFTWARE\Microsoft\Security Center
FirewallOverride
1

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall
0

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall
0

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\
AutoUpdate
AUOptions
1

HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restictanonymous
1

HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareWks
0

HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareServer
0

HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
AutoShareWks
0

HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
AutoShareServer
0

HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAlloxXPSP2
1

HKLM\SOFTWARE\Microsoft\OLE
EnableDCOM
"N"

W32/Tilebot-Z may also set entries in the registry at the following 
locations:

HKLM\SYSTEM\CurrentControlSet\Control\
WaitToKillServiceTimeout

W32/Tilebot-Z attempts to remove network shares from the infected 
computer, as well as changing the policy for SeNetworkLogonRight for 
the computer.

W32/Tilebot-Z may attempt to contact scripts at the following 
addresses:

http://cgi14.plala.or.jp
http://hpcgi1.nifty.com
http://www.age.ne.jp
http://www.kinchan.net
http://www2.dokidoki.ne.jp
http://yia.s22.xrea.com

W32/Tilebot-Z may create the file hpr34k8.sys and set up a service 
for it named HPR34K8. This file is currently detected Troj/Rootkit-AA.





Name   W32/Tpbot-A

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Downloads code from the internet
    * Reduces system security
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Aliases  
    * W32.Zotob.E
    * WORM_RBOT.CBQ
    * Net-Worm.Win32.Small.d
    * Net_Worm.Win32.Bozori.A

Prevalence (1-5) 2

Description
W32/Tpbot-A is a network worm with backdoor Trojan functionality for 
the Windows platform.

W32/Tpbot-A spreads using a variety of techniques including the 
exploitation of operating system vulnerabilities such as LSASS 
(MS04-011) and PnP (MS05-039).

W32/Tpbot-A may attempt to download and execute additional files.

Patches for the operating system vulnerabilities exploited by 
W32/Tpbot-A can be obtained from Microsoft at:

MS04-011
MS05-039

Advanced
W32/Tpbot-A is a network worm with backdoor Trojan functionality for 
the Windows platform.

When run, W32/Tpbot-A copies itself to the Windows system folder as 
wintbp.exe and creates the following registry entry in order to run 
each time a user logs on:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
wintbp.exe
"wintbp.exe"

W32/Tpbot-A spreads using a variety of techniques including the 
exploitation of operating system vulnerabilities such as LSASS 
(MS04-011) and PnP (MS05-039).

The backdoor component connects to an IRC server and joins a 
predetermined channel where it then awaits commands from attackers.

W32/Tpbot-A may attempt to download and execute additional files.

Patches for the operating system vulnerabilities exploited by 
W32/Tpbot-A can be obtained from Microsoft at:

MS04-011
MS05-039





Name   W32/Zotob-F

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Aliases  
    * Net-Worm.Win32.Bozori.b
    * W32.Zotob.F

Prevalence (1-5) 2

Description
W32/Zotob-F is a worm and IRC backdoor Trojan for the Windows platform.

W32/Zotob-F spreads to other network computers by exploiting common 
buffer overflow vulnerabilites, including LSASS (MS04-011) and PnP 
(MS05-039).

W32/Zotob-F runs continuously in the background, providing a backdoor 
server which allows a remote intruder to gain access and control over 
the computer via IRC channels.

Patches for the operating system vulnerabilities exploited by 
W32/Zotob-F can be obtained from Microsoft at:

MS04-011
MS05-039

Advanced
W32/Zotob-F is a worm and IRC backdoor Trojan for the Windows platform.

W32/Zotob-F spreads to other network computers by exploiting common 
buffer overflow vulnerabilites, including LSASS (MS04-011) and PnP 
(MS05-039).

W32/Zotob-F runs continuously in the background, providing a backdoor 
server which allows a remote intruder to gain access and control over 
the computer via IRC channels.

When first run W32/Zotob-F copies itself to <System>\wintbpx.exe and 
creates the following files:

<Temp>\387.bat
<Temp>\821.bat

These are batch files which attempt to remove the worm's file from 
the current folder.

The following registry entry is created to run wintbpx.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
wintbpx.exe
wintbpx.exe

W32/Zotob-F attempts to terminate the following processes and delete 
the corresponding files:

wintbp.exe
svnlitup32.exe
service32.exe
mousebm.exe
llsrv.exe
pnpsrv.exe
winpnp.exe
csm.exe
system32.exe
botzor.exe
upnp.exe

Patches for the operating system vulnerabilities exploited by 
W32/Zotob-F can be obtained from Microsoft at:

MS04-011
MS05-039





Name   Troj/BagleDl-R

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Modifies data on the computer
    * Downloads code from the internet
    * Installs itself in the Registry

Aliases  
    * Email-Worm.Win32.Bagle.bq

Prevalence (1-5) 2

Description
Troj/BagleDl-R is a downloader Trojan which will download, install 
and run new software without notification that it is doing so.

Troj/BagleDl-R includes functionality to:

- inject its code into EXPLORER.EXE
- modify the HOSTS file
- disable other software, including anti-virus, firewall and security 
  related applications

Troj/BagleDl-R then attempts to download files from remote websites 
and run them.

Troj/BagleDl-R may also run MSPAINT.EXE in an attempt to obfuscate 
itself.

Advanced
Troj/BagleDl-R is a downloader Trojan which will download, install 
and run new software without notification that it is doing so.

Troj/BagleDl-R includes functionality to:

- inject its code into EXPLORER.EXE
- modify the HOSTS file
- disable other software, including anti-virus, firewall and security 
  related applications

When first run Troj/BagleDl-R copies itself to <System>\winshost.exe 
and creates the file <System>\wiwshost.exe. The file 
<System>\wiwshost.exe is also detected by Sophos as Troj/BagleDl-R.

The following registry entries are created to run winshost.exe on 
startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
winshost.exe
<System>\winshost.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
winshost.exe
<System>\winshost.exe

Registry entries are set as follows:

HKLM\SYSTEM\CurrentControlSet\Services\Alerter
Start
00000004

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
00000004

HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Start
00000004

Troj/BagleDl-R creates a new version of the HOSTS file. The new HOSTS 
file will typically contain the following:

127.0.0.1 localhost

Troj/BagleDl-R also attempts to modify or delete the following 
registry entries:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Symantec NetDriver Monitor

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ccApp

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NAV CfgWiz

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SSC_UserPrompt

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
McAfee Guardian

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
McAfee.InstantUpdate.Monitor

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
APVXDWIN

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
KAV50

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
avg7_cc

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
avg7_emc

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Zone Labs Client

HKLM\SOFTWARE\Symantec

HKLM\SOFTWARE\McAfee

HKLM\SOFTWARE\KasperskyLab

HKLM\SOFTWARE\Agnitum

HKLM\SOFTWARE\Panda Software

HKLM\SOFTWARE\Zone Labs

Troj/BagleDl-R then attempts to download files from remote websites 
and run them.

Troj/BagleDl-R may also run MSPAINT.EXE in an attempt to obfuscate 
itself.





Name   W32/Hwbot-B

Type  
    * Worm

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Prevalence (1-5) 2

Description
W32/Hwbot-B is a network worm for the Windows platform.

W32/Hwbot-B connects to an IRC server and waits for instructions from 
a remote user including to download and execute further code or to 
spread via network security exploits.

W32/Hwbot-B can spread to computers vulnerable to the UPnP exploit.

The following patches for the operating system vulnerabilities 
exploited by W32/Hwbot-B can be obtained from the

Microsoft website:

MS05-039

Advanced
W32/Hwbot-B is a network worm for the Windows platform.

When first run W32/Hwbot-B copies itself to <System>\wpa.exe and 
creates the file <Windows>\Debug\dcpromo.log.

The file wpa.exe is registered as a new system driver service named 
"wpa", with a display name of "WindowsProduct Activation" and a 
startup type of automatic, so that it is started automatically during 
system startup.

Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\wpa\

W32/Hwbot-B connects to an IRC server and waits for instructions from 
a remote user including to download and execute further code or to 
spread via network security exploits.

W32/Hwbot-B can spread to computers vulnerable to the UPnP exploit.

The following patches for the operating system vulnerabilities 
exploited by W32/Hwbot-B can be obtained from the

Microsoft website:

MS05-039

Registry entries are set as follows:

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
n

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1





Name   Troj/Small-NY

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet

Aliases  
    * Trojan-Downloader.Win32.Small.ny

Prevalence (1-5) 2

Description
Troj/Small-NY is a Trojan for the Windows platform.

Troj/Small-NY includes functionality to access the internet and 
communicate with a remote server via HTTP.





Name   W32/Tilebot-I

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Drops more malware
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Aliases  
    * W32.Spybot.Worm
    * Backdoor.Win32.SdBot.acf

Prevalence (1-5) 2

Description
W32/Tilebot-I is a worm and IRC backdoor Trojan for the Windows 
platform.

W32/Tilebot-I spreads to other network computers by exploiting common 
buffer overflow vulnerabilities, including PNP (MS05-039).

W32/Tilebot-I runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

W32/Tilebot-I includes functionality to access the internet and 
communicate with a remote server via HTTP.

W32/Tilebot-I drops a file detected as Troj/Rootkit-W.

Advanced
W32/Tilebot-I is a worm and IRC backdoor Trojan for the Windows 
platform.

W32/Tilebot-I spreads to other network computers by exploiting common 
buffer overflow vulnerabilities, including PNP (MS05-039).

W32/Tilebot-I runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

W32/Tilebot-I includes functionality to access the internet and 
communicate with a remote server via HTTP.

When first run W32/Tilebot-I copies itself to <Windows>\svehost32.exe 
and creates the file <System>\rdriv.sys.

The file rdriv.sys is detected as Troj/Rootkit-W.

The file rdriv.sys is registered as a new system driver service named 
"rdriv", with a display name of "rdriv". Registry entries are created 
under:

HKLM\SYSTEM\CurrentControlSet\Services\rdriv\

The file svehost32.exe is registered as a new system driver service 
named "svehost32", with a display name of "Microsoft New Game 2" and 
a startup type of automatic, so that it is started automatically 
during system startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\svehost32\

W32/Tilebot-I sets the following registry entries, disabling the 
automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4

Registry entries are set as follows:

HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1

Registry entries are created under:

HKLM\SOFTWARE\Microsoft\Security Center\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\





Name   W32/Tilebot-J

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Allows others to access the computer
    * Drops more malware
    * Downloads code from the internet
    * Reduces system security

Aliases  
    * Backdoor.Win32.SdBot.aad

Prevalence (1-5) 2

Description
W32/Tilebot-J is a worm which attempts to spread to remote network 
shares. It also contains backdoor Trojan functionality, allowing 
unauthorized remote access to the infected computer via IRC channels.

W32/Tilebot-J spreads to network shares with weak passwords as a 
result of the backdoor Trojan element receiving the appropriate 
command from a remote user. The worm also spreads by exploiting the 
PnP operating system vulnerability (MS05-039).

W32/Tilebot-J allows a remote user to perform a wide range of actions 
on the infected computer including downloading further files, setting 
registry entries and stealing information from the computer including 
from protected storage areas.

Advanced
W32/Tilebot-J is a worm which attempts to spread to remote network 
shares. It also contains backdoor Trojan functionality, allowing 
unauthorized remote access to the infected computer via IRC channels.

W32/Tilebot-J spreads to network shares with weak passwords as a 
result of the backdoor Trojan element receiving the appropriate 
command from a remote user. The worm also spreads by exploiting the 
PnP operating system vulnerability (MS05-039).

W32/Tilebot-J copies itself to the Windows folder with the filename 
netinfo.exe and creates a service named "NETINFO" in order to run 
itself on system startup, to which it gives the fake description 
"Internet Info Service." The following registry branches are created:

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETINFO\
<several entries>

HKLM\SYSTEM\CurrentControlSet\Services\netinfo\
<several entries>

W32/Tilebot-J allows a remote user to perform a wide range of actions 
on the infected computer including downloading further files, setting 
registry entries and stealing information from the computer including 
from protected storage areas.

W32/Tilebot-J attempts to terminate services with the following names 
in order to disrupt various security processes including the Windows 
firewall and Windows critical updates:

Tlntsvr
RemoteRegistry
Messenger
SharedAccess
wscsvc

W32/Tilebot-J attempts to set the following registry entries to 
disrupt various security processes:

HKLM\SOFTWARE\Microsoft\Security Center
UpdatesDisableNotify
1

HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusDisableNotify
1

HKLM\SOFTWARE\Microsoft\Security Center
FirewallDisableNotify
1

HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusOverride
1

HKLM\SOFTWARE\Microsoft\Security Center
FirewallOverride
1

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall
0

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall
0

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\
AutoUpdate
AUOptions
1

HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restictanonymous
1

HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareWks
0

HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareServer
0

HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
AutoShareWks
0

HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
AutoShareServer
0

HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAlloxXPSP2
1

HKLM\SOFTWARE\Microsoft\OLE
EnableDCOM
"N"

W32/Tilebot-J may also set entries in the registry at the following 
locations:

HKLM\SYSTEM\CurrentControlSet\Control\
WaitToKillServiceTimeout

W32/Tilebot-J attempts to remove network shares from the infected 
computer, as well as changing the policy for SeNetworkLogonRight for 
the computer.

W32/Tilebot-J may create the file orans.sys and set up a service for 
it named ORANS. This file is currently detected Troj/Rootkit-AA. The 
following registry branches are created:

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ORANS\
<several entries>

HKLM\SYSTEM\CurrentControlSet\Services\orans\
<several entries>





Name   W32/Mytob-HM

Type  
    * Worm

How it spreads  
    * Email attachments
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Allows others to access the computer
    * Sends itself to email addresses found on the infected computer
    * Modifies data on the computer
    * Uses its own emailing engine

Aliases  
    * Net-Worm.Win32.Mytob.t
    * WORM_MYTOB.HM
    * W32/Mytob.GX@mm

Prevalence (1-5) 2

Description
W32/Mytob-HM is a mass-mailing worm and backdoor Trojan that can be 
controlled through the Internet Relay Chat (IRC) network.

W32/Mytob-HM is capable of spreading through email and through 
various operating system vulnerabilities such as LSASS (MS04-011). 
Emails sent by W32/Mytob-HM have the following properties:

Subject line:

document
Good day
Hello
Mail Delivery System
Mail Transaction Failed
message
readme
Server Report
Status

Message text:

'This is a multi-part message in MIME format.'
'Mail transaction failed. Partial message is available.'
'The message contains Unicode characters and has been sent as a 
 binary attachment.'
'The message cannot be represented in 7-bit ASCII encoding and has 
 been sent as a binary attachment.'
'The original message was included as an attachment.'
'Here are your banks documents.'

The attached file consists of a base name followed by the extentions 
PIF, SCR, EXE or ZIP. The worm may optionally create double 
extensions where the first extension is DOC, TXT or HTM and the final 
extension is PIF, SCR, EXE or ZIP.

Advanced
W32/Mytob-HM is a mass-mailing worm and backdoor Trojan that can be 
controlled through the Internet Relay Chat (IRC) network.

When first run W32/Mytob-HM copies itself to the Windows system 
folder as yahooicons.exe and creates the following registry entries:

HKCU\System\CurrentControlSet\Control\Lsa
WINTASK
"yahooicons.exe"

HKCU\Software\Microsoft\OLE
WINTASK
"yahooicons.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
WINTASK
"yahooicons.exe"

HKLM\System\CurrentControlSet\Control\Lsa
WINTASK
"yahooicons.exe"

HKLM\Software\Microsoft\Ole
WINTASK
"yahooicons.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
WINTASK
"yahooicons.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
WINTASK
"yahooicons.exe"

W32/Mytob-HM copies itself to the root folder as:

funny_pic.scr
my_photo2005.scr
see_this!!.scr

and drops a file called hellmsn.exe (detected by Sophos as 
W32/Mytob-D) in the same location. This component attempts to spread 
the worm by sending the aforementioned SCR files through Windows 
Messenger to all online contacts.

W32/Mytob-HM also appends the following to the HOSTS file to deny 
access to security related websites:

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.trendmicro.com

W32/Mytob-HM is capable of spreading through email and through 
various operating system vulnerabilities such as LSASS (MS04-011). 
Emails sent by W32/Mytob-HM have the following properties:

Subject line:

document
Good day
Hello
Mail Delivery System
Mail Transaction Failed
message
readme
Server Report
Status

Message text:

'This is a multi-part message in MIME format.'
'Mail transaction failed. Partial message is available.'
'The message contains Unicode characters and has been sent as a 
 binary attachment.'
'The message cannot be represented in 7-bit ASCII encoding and has 
 been sent as a binary attachment.'
'The original message was included as an attachment.'
'Here are your banks documents.'

The attached file consists of a base name followed by the extentions 
PIF, SCR, EXE or ZIP. The worm may optionally create double 
extensions where the first extension is DOC, TXT or HTM and the final 
extension is PIF, SCR, EXE or ZIP.

W32/Mytob-HM harvests email addresses from files on the infected 
computer and from the Windows Address Book. The worm avoids sending 
emails to addresses that contain the following:

.gov
.mil
accoun
acketst
admin
anyone
arin.
avp
berkeley
borlan
bsd
bsd
bugs
ca
certific
contact
example
feste
fido
foo.
fsf.
gnu
gold-certs
google
google
gov.
help
iana
ibm.com
icrosof
icrosoft
ietf
info
inpris
isc.o
isi.e
kernel
linux
linux
listserv
math
me
mit.e
mozilla
mydomai
no
nobody
nodomai
noone
not
nothing
ntivi
page
panda
pgp
postmaster
privacy
rating
rfc-ed
ripe.
root
ruslis
samples
secur
sendmail
service
site
soft
somebody
someone
sopho
submit
support
syma
tanford.e
the.bat
unix
unix
usenet
utgers.ed
webmaster
you
your





Name   W32/Kassbot-H

Type  
    * Spyware Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Modifies data on the computer
    * Deletes files off the computer
    * Steals information
    * Downloads code from the internet

Prevalence (1-5) 2

Description
W32/Kassbot-H is a worm and backdoor Trojan for the Windows platform.

W32/Kassbot-H runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer.

W32/Kassbot-H includes functionality to access the internet and 
communicate with a remote server via HTTP and IRC.

W32/Kassbot-H may send an email to a pre-defined email address 
containing system information from the infected computer.

W32/Kassbot-H will monitor a user's internet access. When certain 
internet sites are accessed, the worm will redirect the user to a 
website with fake login pages or email the stolen details to a 
pre-specified email address.

W32/Kassbot-H will attempt to spread by exploiting the LSASS (MS04-011
) exploits. The following patch for the operating system 
vulnerability exploited by W32/Kassbot-H can be obtained from the 
Microsoft website:

MS04-011

Advanced
W32/Kassbot-H is a worm and backdoor Trojan for the Windows platform.

W32/Kassbot-H runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer.

W32/Kassbot-H includes functionality to access the internet and 
communicate with a remote server via HTTP and IRC.

When first run W32/Kassbot-H copies itself to <System>\spools.exe and 
creates the file <System>\xbccd.log. The file xbccd.log may be deleted.

The following registry entry is created to run spools.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Spools Service Controller
<System>\spools.exe

W32/Kassbot-H may send an email to a pre-defined email address 
containing system information from the infected computer.

W32/Kassbot-H will monitor a user's internet access. When certain 
internet sites are accessed, the worm will redirect the user to a 
website with fake login pages or email the stolen details to a 
pre-specified email address.

W32/Kassbot-H will attempt to spread by exploiting the LSASS 
(MS04-011) exploits. The following patch for the operating system 
vulnerability exploited by W32/Kassbot-H can be obtained from the 
Microsoft website:

MS04-011

W32/Kassbot-H will append the following lines to the HOSTS file in an 
attempt to block access to anti-virus related websites:

d-ru-1f.kaspersky-labs.com
d-ru-1h.kaspersky-labs.com
d-ru-2f.kaspersky-labs.com
d-ru-2h.kaspersky-labs.com
d-eu-2f.kaspersky-labs.com
d-eu-2h.kaspersky-labs.com
d-eu-1f.kaspersky-labs.com
d-eu-1h.kaspersky-labs.com
d-us-1f.kaspersky-labs.com
d-us-1h.kaspersky-labs.com
downloads1.kaspersky.ru
downloads2.kaspersky.ru
downloads3.kaspersky.ru
downloads4.kaspersky.ru
downloads5.kaspersky.ru
www.kaspersky.ru
kaspersky.ru
kaspersky-labs.com
www.kaspersky-labs.com





Name   W32/Demotry-B

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Downloads code from the internet
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
W32/Demotry-B is a network worm for the Windows platform.

The worm scans network computers on port 445. W32/Demotry-B copies 
itself through network shares and mapped logical drives.

In come cases, W32/Demotry-B may insert several spaces between the 
filename and the EXE file extension. Other filenames may be used by 
the worm which are randomly generated or include non-printable 
characters.

Advanced
W32/Demotry-B is a network worm for the Windows platform.

When first run W32/Demotry-B copies itself to:

\iexplorer .exe
<Windows>\iexplorer .exe
<System>\iexplorer .exe

The following registry entry is created to run "iexplorer .exe" on 
startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ALG.EXE
"iexplorer .exe"

The worm scans network computers on port 445. W32/Demotry-B copies 
itself through network shares and mapped logical drives.

In come cases, W32/Demotry-B may insert several spaces between the 
filename and the EXE file extension. Other filenames may be used by 
the worm which are randomly generated or include non-printable 
characters.





Name   Troj/Brospy-A

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Steals information
    * Installs itself in the Registry

Aliases  
    * Trojan-Spy.Win32.Agent.dq

Prevalence (1-5) 2

Description
Troj/Brospy-A is a Trojan for the Windows platform.

Advanced
Troj/Brospy-A is a Trojan for the Windows platform.

When Troj/Brospy-A is installed it creates the file 
<System>\appwiz.dll.

The file appwiz.dll is registered as a COM object and Browser Helper 
Object (BHO) for Microsoft Internet Explorer, creating registry 
entries under:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
Objects\(78364D99-A640-4ddf-B91A-67EFF8373045)
HKCR\CLSID\(78364D99-A640-4ddf-B91A-67EFF8373045)

Troj/Brospy-A monitors browser activity, attempts to passwords that 
are cached or in protected storage, and email usernames and passwords.

Troj/Brospy-A sends any harvested information to a pre-specified 
email address.

The following registry entry is set:

HKCU\Software\Microsoft\Internet Explorer\Main
Enable Browser Extensions
yes





Name   Troj/ByteVeri-M

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet
    * Exploits system or software vulnerabilities

Aliases  
    * Exploit-ByteVerify
    * JAVA_BYTEVER.Q
    * Trojan.Java.ClassLoader.ai

Prevalence (1-5) 2

Description
Troj/ByteVeri-M is a Java Applet that exploits a vulnerability in the 
Byte Code Verify component of the Microsoft VM to download and run an 
executable file.

Advanced
Troj/ByteVeri-M is a Java Applet that exploits a vulnerability in the 
Byte Code Verify component of the Microsoft VM to download and run an 
executable file.

Troj/ByteVeri-M arrives by browsing websites whose pages contain 
applets that use the Troj/ByteVeri-M class.

For more information about this exploit see the Microsoft Security 
Bulletin MS03-011.





Name   W32/Dogbot-C

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Drops more malware
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities
    * Leaves non-infected files on computer

Aliases  
    * Backdoor.Win32.IRCBot.et
    * W32.Zotob.G

Prevalence (1-5) 2

Description
W32/Dogbot-C is a network worm with IRC backdoor Trojan functionality 
for the Windows platform.

W32/Dogbot-C spreads using a variety of techniques including the 
exploitation of operating system vulnerabilities such as PnP 
(MS05-039).

Advanced
W32/Dogbot-C is a network worm with IRC backdoor Trojan functionality 
for the Windows platform.

When run, W32/Dogbot-C creates the folder <System>\usrnt\ and copies 
itself to the new folder using the filename windrg32.exe. The 
following registry entries are created in order to run the worm copy 
each time a user logs on:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WinDrg32
<System>\usrnt\windrg32.exe

W32/Dogbot-C may create the clean file newshashes.bin in this folder 
as well.

W32/Dogbot-C spreads using a variety of techniques including the 
exploitation of operating system vulnerabilities such as PnP 
(MS05-039).

The backdoor component connects to an IRC server and joins a 
predetermined channel where it then awaits commands from attackers.

W32/Dogbot-C may attempt to download and execute additional files.

W32/Dogbot-C attempts to disable and remove several adware related 
applications.

Patches for the operating system vulnerabilities exploited by 
W32/Dogbot-C can be obtained from Microsoft at:

MS05-039





Name   Troj/Bancban-EM

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Steals information
    * Uses its own emailing engine
    * Records keystrokes
    * Installs itself in the Registry

Aliases  
    * Trojan-Spy.Win32.Banker.ju

Prevalence (1-5) 2

Description
Troj/Bancban-EM is a password-stealing Trojan that attempts to steal 
information related to certain banks.

Troj/Bancban-EM may display fake login screens when certain banking 
websites are visited, in order to trick the user into entering 
confidential details. Stolen information is sent by email to a remote 
user.

Advanced
Troj/Bancban-EM is a password-stealing Trojan that attempts to steal 
information related to certain banks.

Troj/Bancban-EM may display fake login screens when certain banking 
websites are visited in order to trick the user into entering 
confidential details. Stolen information is sent by email to a remote 
user.

When first run the Trojan copies itself to <Windows>\svchosts.scr and 
creates the following registry entry in order to run itself on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
svchosts.scr
<Windows>\svchosts.scr





Name   Troj/Whistler-F

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Modifies data on the computer
    * Deletes files off the computer
    * Installs itself in the Registry
    * Leaves non-infected files on computer

Aliases  
    * Trojan.Win32.Dire.c
    * QDel247
    * Win32/Dire.C
    * TROJ_QDEL247.A

Prevalence (1-5) 2

Description
Troj/Whistler-F is a destructive Trojan for the Windows platform.

Troj/Whistler-F will attempt to delete files on the user's computer. 
The Trojan will also create a file at C:\WXP and copy it over other 
files. The file contains the message "You did a piracy, you deserve 
it."

Advanced
Troj/Whistler-F is a destructive Trojan for the Windows platform.

Troj/Whistler