Tillbaka till svenska Fidonet
English   Information   Debug  
TRAPDOOR   0/19
TREK   0/755
TUB   0/290
UFO   0/40
UNIX   0/1316
USA_EURLINK   0/102
USR_MODEMS   0/1
VATICAN   0/2740
VIETNAM_VETS   0/14
VIRUS   0/378
VIRUS_INFO   0/201
VISUAL_BASIC   0/473
WHITEHOUSE   0/5187
WIN2000   0/101
WIN32   0/30
WIN95   0/4289
WIN95_OLD1   0/70272
WINDOWS   0/1517
WWB_SYSOP   0/419
WWB_TECH   0/810
ZCC-PUBLIC   0/1
ZEC   4

 
4DOS   0/134
ABORTION   0/7
ALASKA_CHAT   0/506
ALLFIX_FILE   0/1313
ALLFIX_FILE_OLD1   0/7997
ALT_DOS   0/152
AMATEUR_RADIO   0/1039
AMIGASALE   0/14
AMIGA   0/331
AMIGA_INT   0/1
AMIGA_PROG   0/20
AMIGA_SYSOP   0/26
ANIME   0/15
ARGUS   0/924
ASCII_ART   0/340
ASIAN_LINK   0/651
ASTRONOMY   0/417
AUDIO   0/92
AUTOMOBILE_RACING   0/105
BABYLON5   0/17862
BAG   135
BATPOWER   0/361
BBBS.ENGLISH   0/382
BBSLAW   0/109
BBS_ADS   0/5290
BBS_INTERNET   0/507
BIBLE   0/3563
BINKD   0/1119
BINKLEY   0/215
BLUEWAVE   0/2173
CABLE_MODEMS   0/25
CBM   0/46
CDRECORD   0/66
CDROM   0/20
CLASSIC_COMPUTER   0/378
COMICS   0/15
CONSPRCY   0/899
COOKING   33421
COOKING_OLD1   0/24719
COOKING_OLD2   0/40862
COOKING_OLD3   0/37489
COOKING_OLD4   0/35496
COOKING_OLD5   9370
C_ECHO   0/189
C_PLUSPLUS   0/31
DIRTY_DOZEN   0/201
DOORGAMES   0/2065
DOS_INTERNET   0/196
duplikat   6002
ECHOLIST   0/18295
EC_SUPPORT   0/318
ELECTRONICS   0/359
ELEKTRONIK.GER   1534
ENET.LINGUISTIC   0/13
ENET.POLITICS   0/4
ENET.SOFT   0/11701
ENET.SYSOP   33945
ENET.TALKS   0/32
ENGLISH_TUTOR   0/2000
EVOLUTION   0/1335
FDECHO   0/217
FDN_ANNOUNCE   0/7068
FIDONEWS   24159
FIDONEWS_OLD1   0/49742
FIDONEWS_OLD2   0/35949
FIDONEWS_OLD3   0/30874
FIDONEWS_OLD4   0/37224
FIDO_SYSOP   12852
FIDO_UTIL   0/180
FILEFIND   0/209
FILEGATE   0/212
FILM   0/18
FNEWS_PUBLISH   4436
FN_SYSOP   41707
FN_SYSOP_OLD1   71952
FTP_FIDO   0/2
FTSC_PUBLIC   0/13613
FUNNY   0/4886
GENEALOGY.EUR   0/71
GET_INFO   105
GOLDED   0/408
HAM   0/16074
HOLYSMOKE   0/6791
HOT_SITES   0/1
HTMLEDIT   0/71
HUB203   466
HUB_100   264
HUB_400   39
HUMOR   0/29
IC   0/2851
INTERNET   0/424
INTERUSER   0/3
IP_CONNECT   719
JAMNNTPD   0/233
JAMTLAND   0/47
KATTY_KORNER   0/41
LAN   0/16
LINUX-USER   0/19
LINUXHELP   0/1155
LINUX   0/22112
LINUX_BBS   0/957
mail   18.68
mail_fore_ok   249
MENSA   0/341
MODERATOR   0/102
MONTE   0/992
MOSCOW_OKLAHOMA   0/1245
MUFFIN   0/783
MUSIC   0/321
N203_STAT   930
N203_SYSCHAT   313
NET203   321
NET204   69
NET_DEV   0/10
NORD.ADMIN   0/101
NORD.CHAT   0/2572
NORD.FIDONET   189
NORD.HARDWARE   0/28
NORD.KULTUR   0/114
NORD.PROG   0/32
NORD.SOFTWARE   0/88
NORD.TEKNIK   0/58
NORD   0/453
OCCULT_CHAT   0/93
OS2BBS   0/787
OS2DOSBBS   0/580
OS2HW   0/42
OS2INET   0/37
OS2LAN   0/134
OS2PROG   0/36
OS2REXX   0/113
OS2USER-L   207
OS2   0/4786
OSDEBATE   0/18996
PASCAL   0/490
PERL   0/457
PHP   0/45
POINTS   0/405
POLITICS   0/29554
POL_INC   0/14731
PSION   103
R20_ADMIN   1123
R20_AMATORRADIO   0/2
R20_BEST_OF_FIDONET   13
R20_CHAT   0/893
R20_DEPP   0/3
R20_DEV   399
R20_ECHO2   1379
R20_ECHOPRES   0/35
R20_ESTAT   0/719
R20_FIDONETPROG...
...RAM.MYPOINT
  0/2
R20_FIDONETPROGRAM   0/22
R20_FIDONET   0/248
R20_FILEFIND   0/24
R20_FILEFOUND   0/22
R20_HIFI   0/3
R20_INFO2   3249
R20_INTERNET   0/12940
R20_INTRESSE   0/60
R20_INTR_KOM   0/99
R20_KANDIDAT.CHAT   42
R20_KANDIDAT   28
R20_KOM_DEV   112
R20_KONTROLL   0/13300
R20_KORSET   0/18
R20_LOKALTRAFIK   0/24
R20_MODERATOR   0/1852
R20_NC   76
R20_NET200   245
R20_NETWORK.OTH...
...ERNETS
  0/13
R20_OPERATIVSYS...
...TEM.LINUX
  0/44
R20_PROGRAMVAROR   0/1
R20_REC2NEC   534
R20_SFOSM   0/341
R20_SF   0/108
R20_SPRAK.ENGLISH   0/1
R20_SQUISH   107
R20_TEST   2
R20_WORST_OF_FIDONET   12
RAR   0/9
RA_MULTI   106
RA_UTIL   0/162
REGCON.EUR   0/2056
REGCON   0/13
SCIENCE   0/1206
SF   0/239
SHAREWARE_SUPPORT   0/5146
SHAREWRE   0/14
SIMPSONS   0/169
STATS_OLD1   0/2539.065
STATS_OLD2   0/2530
STATS_OLD3   0/2395.095
STATS_OLD4   0/1692.25
SURVIVOR   0/495
SYSOPS_CORNER   0/3
SYSOP   0/84
TAGLINES   0/112
TEAMOS2   0/4530
TECH   0/2617
TEST.444   0/105
Möte VIRUS, 378 texter
 lista första sista föregående nästa
Text 153, 1314 rader
Skriven 2005-10-30 19:32:00 av KURT WISMER (1:123/140)
Ärende: News, October 30 2005
=============================
[cut-n-paste from sophos.com]

Name   Troj/Hanlo-B

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Drops more malware
    * Downloads code from the internet

Aliases  
    * Trojan-Downloader.Win32.Hanlo.b
    * Downloader-AGH
    * TROJ_DLOADER.AJQ

Prevalence (1-5) 2

Description
Troj/Hanlo-B is a Trojan for the Windows platform.

Troj/Hanlo-B includes functionality to access the internet and 
communicate with a remote server via HTTP.

Troj/Hanlo-B downloads the following files:

tBmp107.exe
tBmp207.exe
tBmp307.exe
tBmp407.exe
tBmp507.exe
tBmp607.exe
tBmp707.exe

Advanced
Troj/Hanlo-B is a Trojan for the Windows platform.

Troj/Hanlo-B includes functionality to access the internet and 
communicate with a remote server via HTTP.

Troj/Hanlo-B downloads the following files:

tBmp107.exe
tBmp207.exe
tBmp307.exe
tBmp407.exe
tBmp507.exe
tBmp607.exe
tBmp707.exe

Troj/Hanlo-B creates the following file:

<System>\avA6.sys

The file avA6.sys is detected as Troj/Haxdor-Gen.

The file avA6.sys is registered as a new system driver service named 
"avA6", with a display name of "AVP update interface A6". Registry 
entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\avA6\





Name   W32/Rbot-ATC

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Downloads code from the internet
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities
    * Used in DOS attacks

Aliases  
    * Backdoor.Win32.Rbot.nt
    * BKDR_SDBOT.ON

Prevalence (1-5) 2

Description
W32/Rbot-ATC is a worm and IRC backdoor Trojan for the Windows 
platform.

W32/Rbot-ATC spreads to other network computers by exploiting common 
buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM 
(MS04-012) and WKS (MS03-049) (CAN-2003-0812) and by copying itself 
to network shares protected by weak passwords.

W32/Rbot-ATC runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

W32/Rbot-ATC includes functionality to:

- carry out DDoS flooder attacks
- silently download, install and run new software, including updates 
of its software

The following patches for the operating system vulnerabilities 
exploited by W32/Rbot-ATC can be obtained from the Microsoft website:

MS04-011
MS04-012
MS03-049

Advanced
W32/Rbot-ATC is a worm and IRC backdoor Trojan for the Windows 
platform.

W32/Rbot-ATC spreads to other network computers by exploiting common 
buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM 
(MS04-012) and WKS (MS03-049) (CAN-2003-0812) and by copying itself 
to network shares protected by weak passwords.

W32/Rbot-ATC runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

W32/Rbot-ATC includes functionality to:

- carry out DDoS flooder attacks
- silently download, install and run new software, including updates 
of its software

When first run W32/Rbot-ATC copies itself to <System>\MSAOL32dll.exe.

The following registry entries are created to run MSAOL32dll.exe on 
startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
AOL Instant Messenger dll runtime
MSAOL32dll.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
AOL Instant Messenger dll runtime
MSAOL32dll.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
AOL Instant Messenger dll runtime
MSAOL32dll.exe

The following patches for the operating system vulnerabilities 
exploited by W32/Rbot-ATC can be obtained from the Microsoft website:

MS04-011
MS04-012
MS03-049





Name   Troj/Midrug-B

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Installs itself in the Registry

Aliases  
    * BackDoor-AYE

Prevalence (1-5) 2

Description
Troj/Midrug-B is a Trojan for the Windows platform. It may attempt to 
connect to a remote server.

Advanced
Troj/Midrug-B is a Trojan for the Windows platform. It may attempt to 
connect to a remote server.

Troj/Midrug-B is capabable of creating a registry entry to auto start 
itself under:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run





Name   W32/Mytob-BZ

Type  
    * Spyware Worm

How it spreads  
    * Email attachments
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Sends itself to email addresses found on the infected computer
    * Modifies data on the computer
    * Steals information
    * Drops more malware

Prevalence (1-5) 2

Description
W32/Mytob-BZ is a mass-mailing worm and backdoor Trojan that can be 
controlled through the Internet Relay Chat (IRC) network.

W32/Mytob-BZ is capable of spreading through email and through 
various operating system vulnerabilities such as LSASS (MS04-011).

W32/Mytob-BZ harvests email addresses from files on the infected 
computer and from the Windows address book.

Advanced
W32/Mytob-BZ is a mass-mailing worm and backdoor Trojan that can be 
controlled through the Internet Relay Chat (IRC) network.

When first run W32/Mytob-BZ copies itself to the Windows system 
folder as taskgmr.exe and creates the following registry entries:

HKCU\System\CurrentControlSet\Control\Lsa
W1NTASK
taskgmr.exe

HKCU\Software\Microsoft\OLE
W1NTASK
taskgmr.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
W1NTASK
taskgmr.exe

HKLM\System\CurrentControlSet\Control\Lsa
W1NTASK
taskgmr.exe

HKLM\Software\Microsoft\Ole
W1NTASK
taskgmr.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
W1NTASK
taskgmr.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
W1NTASK
taskgmr.exe

W32/Mytob-BZ copies itself to the root folder as:

funny_pic.scr
my_photo2005.scr
see_this!!.scr

and drops a file called hellmsn.exe (detected by Sophos as W32/Mytob-D) 
in the same location. This component attempts to spread the worm by 
sending the aforementioned SCR files through Windows Messenger to all 
online contacts.

W32/Mytob-BZ also appends the following to the HOSTS file to deny 
access to security related websites:

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.trendmicro.com

W32/Mytob-BZ is capable of spreading through email and through 
various operating system vulnerabilities such as LSASS (MS04-011). 
Email sent by W32/Mytob-BZ has the following properties:

Subject line:

document
Good day
Mail Delivery System
Mail Transaction Failed
message
readme
Server Report
Status

Message text:

'This is a multi-part message in MIME format.'

'Mail transaction failed. Partial message is available.'

'The message contains Unicode characters and has been sent as a 
binary attachment.'

'The message cannot be represented in 7-bit ASCII encoding and has 
been sent as a binary attachment.'

'The original message was included as an attachment.'

'Here are your banks documents.'

The attached file consists of a base name followed by the extentions 
PIF, SCR, EXE or ZIP. The worm may optionally create double 
extensions where the first extension is DOC, TXT or HTM and the final 
extension is PIF, SCR, EXE or ZIP.

W32/Mytob-BZ harvests email addresses from files on the infected 
computer and from the Windows address book. The worm avoids sending 
email to addresses that contain the following:

.gov
.mil
accoun
acketst
admin
anyone
arin.
avp
berkeley
borlan
bsd
bsd
bugs
ca
certific
contact
example
feste
fido
foo.
fsf.
gnu
gold-certs
google
google
gov.
help
iana
ibm.com
icrosof
icrosoft
ietf
info
inpris
isc.o
isi.e
kernel
linux
linux
listserv
math
me
mit.e
mozilla
mydomai
no
nobody
nodomai
noone
not
nothing
ntivi
page
panda
pgp
postmaster
privacy
rating
rfc-ed
ripe.
root
ruslis
samples
secur
sendmail
service
site
soft
somebody
someone
sopho
submit
support
syma
tanford.e
the.bat
unix
unix
usenet
utgers.ed
webmaster
you
your





Name   W32/Rbot-ATE

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Aliases  
    * Backdoor.Win32.Rbot.aci

Prevalence (1-5) 2

Description
W32/Rbot-ATE is a worm and IRC backdoor Trojan for the Windows 
platform.

W32/Rbot-ATE spreads to network shares with weak passwords and by 
exploiting common buffer overflow vulnerabilities, including: RPC-DCOM 
(MS04-012), PNP (MS05-039) and ASN.1 (MS04-007).

W32/Rbot-ATE runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

Advanced
W32/Rbot-ATE is a worm and IRC backdoor Trojan for the Windows 
platform.

W32/Rbot-ATE spreads to network shares with weak passwords and by 
exploiting common buffer overflow vulnerabilities, including: RPC-DCOM 
(MS04-012), PNP (MS05-039) and ASN.1 (MS04-007).

W32/Rbot-ATE runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

When first run W32/Rbot-ATE copies itself to <System>\hhs32.pif.

The following registry entries are created to run hhs32.pif on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HTML32 Help System
hhs32.pif

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HTML32 Help System
hhs32.pif

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HTML32 Help System
hhs32.pif

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
HTML32 Help System
hhs32.pif

Registry entries are set as follows:

HKLM\SOFTWARE\Microsoft\OLE
HTML32 Help System
hhs32.pif

HKCU\Software\Microsoft\OLE
HTML32 Help System
hhs32.pif

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
HTML32 Help System
hhs32.pif

HKCU\SYSTEM\CurrentControlSet\Control\Lsa
HTML32 Help System
hhs32.pif





Name   Troj/Keylog-AP

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Steals information
    * Forges the sender's email address
    * Uses its own emailing engine
    * Records keystrokes
    * Installs itself in the Registry

Aliases  
    * Trojan-Dropper.Win32.Agent.zf

Prevalence (1-5) 2

Description
Troj/Keylog-AP is a keylogging Trojan for the Windows platform.

Advanced
Troj/Keylog-AP is a keylogging Trojan for the Windows platform.

When Troj/Keylog-AP is installed it creates the file 
<System>\wcsys.exe.

The following registry entry is created to run wcsys.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
wcsys
<System>\wcsys.exe

Troj/Keylog-AP creates a file named wcsys.dll in the Windows system 
folder. This file is detected as Troj/Keylog-AC.

The Trojan may inject itself into the explorer process or register 
itself as a service process in order to prevent itself from being 
terminated.

Troj/Keylog-AP records keystrokes to the file wcsys32.dll in the 
Windows system folder. When this file becomes larger than 4kb, its 
contents are submitted to the author by email.





Name   W32/Agobot-TW

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Prevalence (1-5) 2

Description
W32/Agobot-TW is a worm and backdoor Trojan for the Windows platform.

W32/Agobot-TW runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer.

W32/Agobot-TW spreads via common buffer overflow exploits, including 
LSASS (MS04-011), RPC-DCOM (MS04-012), and PNP (MS05-039), as well as 
to weakly protected network shares.

Advanced
W32/Agobot-TW is a worm and backdoor Trojan for the Windows platform.

W32/Agobot-TW runs continuously in the background, providing a 
backdoor server
which allows a remote intruder to gain access and control over the 
computer.

W32/Agobot-TW spreads via common buffer overflow exploits, including 
LSASS (MS04-011), RPC-DCOM (MS04-012), and PNP (MS05-039), as well as 
to weakly protected network shares.

When first run W32/Agobot-TW copies itself to <System>\msn5.exe.

The following registry entries are created to run msn5.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Video Process
msn5.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Video Process
msn5.exe

The file msn5.exe is registered as a new file system driver service 
named "Video Process", with a display name of "Video Process" and a 
startup type of automatic, so that it is started automatically during 
system startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\Video Process\





Name   W32/Chode-J

Type  
    * Worm

How it spreads  
    * Chat programs

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Allows others to access the computer
    * Installs itself in the Registry
    * Used in DOS attacks

Aliases  
    * Backdoor.Win32.Virkel.a

Prevalence (1-5) 2

Description
W32/Chode-J is a worm with IRC backdoor Trojan functionality.

W32/Chode-J attempts to spread via MSN Instant Messenger and AOL 
Instant Messenger, by sending users a link to a copy of the worm.

W32/Chode-J includes functionality to:

- carry out DDoS flooder attacks
- provide a proxy server
- silently download, install and run new software
- modify the HOSTS file
- disable other software, including anti-virus, firewall and security 
related application
- update itself

W32/Chode-J attempts to disable a number of AV and security related 
processes.

W32/Chode-J modifies the HOSTS file, changing the URL-to-IP mappings 
for selected websites.

Advanced
W32/Chode-J is a worm with IRC backdoor Trojan functionality.

W32/Chode-J attempts to spread via MSN Instant Messenger and AOL 
Instant Messenger, by sending users a link to a copy of the worm.

W32/Chode-J includes functionality to:

- carry out DDoS flooder attacks
- provide a proxy server
- silently download, install and run new software
- modify the HOSTS file
- disable other software, including anti-virus, firewall and security 
related application
- update itself

When first run W32/Chode-J copies itself to 
<System>\<random>\csrss.exe and also creates the file csrss.lnk to 
the <Startup> folder.

The following registry entries are created:

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
csrss
"<System>\<random>\csrss.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
csrss
"<Program Files>\<Messenger>\msmsgs.exe /background"

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
csrss
"nwiz.exe /installquiet"

W32/Chode-J modifies a number of registry entries as the following:

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
load
"<System>\<random>\csrss.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
2

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
SuperHidden
0

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
DisableSR
1

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\srservice
Start
4

W32/Chode-J also inserts the following entry into [Windows] section 
of <Windows>\win.ini:

run=<System>\<random\csrss.exe
load=<System>\<random\csrss.exe

W32/Chode-J modifies the HOSTS file, changing the URL-to-IP mappings 
for selected websites, therefore preventing normal access to these 
sites. The new HOSTS file will typically contain the following:

127.0.0.1 avp.com
127.0.0.1 www.avp.com
127.0.0.1 ca.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 f-secure.com
127.0.0.1 fastclick.net
127.0.0.1 ftp.f-secure.com
127.0.0.1 ftp.sophos.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 mast.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 nai.com
127.0.0.1 networkassociates.com
127.0.0.1 secure.nai.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 service1.symantec.com
127.0.0.1 sophos.com
127.0.0.1 support.microsoft.com
127.0.0.1 symantec.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 vil.nai.com
127.0.0.1 viruslist.com
127.0.0.1 www.viruslist.com
127.0.0.1 www.awaps.net
127.0.0.1 www.ca.com
127.0.0.1 www.f-secure.com
127.0.0.1 www.fastclick.net
127.0.0.1 www.mcafee.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.my-etrust.com
127.0.0.1 www.nai.com
127.0.0.1 www.networkassociates.com
127.0.0.1 www.sophos.com
127.0.0.1 www.symantec.com
127.0.0.1 www3.ca.com
127.0.0.1 www.grisoft.com
127.0.0.1 grisoft.com
127.0.0.1 housecall.trendmicro.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.pandasoftware.com
127.0.0.1 pandasoftware.com
127.0.0.1 kaspersky.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.zonelabs.com
127.0.0.1 zonelabs.com
127.0.0.1 www.spywareinfo.com
127.0.0.1 spywareinfo.com
127.0.0.1 www.merijn.org
127.0.0.1 merijn.org

W32/Chode-J attempts to disable the following processes:

MCAgentExe
navapsvc
ccEvtMgr
SNDSrvc
ccProxy
ccPwdSvc
ccSetMgr
SPBBCSvc
SAVScan
SBService
SmcService
OutpostFirewall
CAISafe
PcCtlCom
tmproxy
Tmntsrv
net stop
sc config
start= disabled
CleanUp
MCUpdateExe
VirusScan Online
VSOCheckTask
Symantec NetDriver Monitor
Outpost Firewall
gcasServ
pccguide.exe
KAVPersonal50
Zone Labs Client
services
mpftray.exe
microsoft antispyware*
hijackthis*
msconfig.exe
kav.exe
kavsvc.exe
mcvsshld.exe
mcagent.exe
mcvsrte.exe
mcshield.exe
mcvsftsn.exe
mcdash.exe
mcvsescn.exe
mcinfo.exe
mpfagent.exe
CIzh_DataArrival'
mpfservice.exe
mskagent.exe
mcmnhdlr.exe
sndsrvc.exe
usrprmpt.exe
ccapp.exe
ccevtmgr.exe
spbbcsvc.exe
ccsetmgr.exe
symlcsvc.exe
npfmntor.exe
navapsvc.exe
issvc.exe
ccproxy.exe
tmpfw.exe
navapw32.exe
navw32.exe
smc.exe
outpost.exe
zlclient.exe
vsmon.exe
isafe.exe
pandaavengine.exe
regedit.exe
hijackthis.exe
gcasdtserv.exe
gcasserv.exe
pcctlcom.exe
tmntsrv.exe
tmproxy.exe
pcclient.exe
ethereal.exe
wpe pro.exe
nat.exe
winsp3.exe





Name   W32/Rbot-ATL

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Downloads code from the internet
    * Reduces system security
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Aliases  
    * Backdoor.Win32.Rbot.gen
    * W32.Spybot.Worm
    * WORM_RBOT.CMT

Prevalence (1-5) 2

Description
W32/Rbot-ATL is a worm and IRC backdoor Trojan for the Windows 
platform.

W32/Rbot-ATL spreads:

- to other network computers by exploiting common buffer overflow 
vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012), 
WKS (MS03-049) (CAN-2003-0812), WINS (MS04-045), Dameware 
(CAN-2003-1030), MSSQL (MS02-039) (CAN-2002-0649) and PNP (MS05-039)
- to other network computers running MSSQL servers protected by weak 
passwords
- by copying itself to network shares protected by weak passwords

W32/Rbot-ATL runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

Advanced
W32/Rbot-ATL is a worm and IRC backdoor Trojan for the Windows 
platform.

W32/Rbot-ATL spreads:

- to other network computers by exploiting common buffer overflow 
vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012), 
WKS (MS03-049) (CAN-2003-0812), WINS (MS04-045), Dameware 
(CAN-2003-1030), MSSQL (MS02-039) (CAN-2002-0649) and PNP (MS05-039)
- to other network computers running MSSQL servers protected by weak 
passwords
- by copying itself to network shares protected by weak passwords

W32/Rbot-ATL runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

When first run W32/Rbot-ATL copies itself to 
<System>\msnq3insller.exe.

The following registry entries are created to run msnq3insller.exe on 
startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MS Unix Binary
msnq3insller.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
MS Unix Binary
msnq3insller.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MS Unix Binary
msnq3insller.exe





Name   Troj/Dloader-XF

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
Troj/Dloader-XF is a Trojan for the Windows platform.

Advanced
Troj/Dloader-XF is a Trojan for the Windows platform.

When Troj/Dloader-XF is installed it creates and executes the file 
<System>\run.dll without notifying the user. The Trojan will also 
attempt to download files from a remote URL to the locations:

<System>\q4.pak
<System>\prc.exe

The file run.dll is also detected as Troj/Dloader-XF.

The following registry entry is created to run the exported code on 
startup using the name SecurePatch:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
SharedTaskScheduler
(2F212B1B-1313-1BBC-02A8-7CA23A23E13F)
SecurePatch

The following registry entry is set:

HKCU\Software\Classes\CLSID\(2F212B1B-1313-1BBC-02A8-7CA23A23E13F)\
InProcServer32
(default)
<System>\run.dll

Registry entries are created under:

HKCU\Software\Classes\CLSID\(2F212B1B-1313-1BBC-02A8-7CA23A23E13F)\
InProcServer32\

Troj/Dloader-XF will attempt to delete registry entries under:

HKLM/SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
SharedTaskScheduler
Windows Update

Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
Windows Update





Name   W32/Sdbot-ZM

Type  
    * Spyware Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Allows others to access the computer
    * Modifies data on the computer
    * Deletes files off the computer
    * Steals information

Aliases  
    * Backdoor.Win32.SdBot.yx

Prevalence (1-5) 2

Description
W32/Sdbot-ZM is a network worm with backdoor Trojan functionality for 
the Windows platform.

The worm spreads through network shares protected by weak passwords, 
MS-SQL servers and through various operating system vulnerabilities.

W32/Sdbot-ZM connects to a predetermined IRC channel and awaits 
further commands from remote users.

Advanced
W32/Sdbot-ZM is a network worm with backdoor Trojan functionality for 
the Windows platform.

When first run, W32/Sdbot-ZM copies itself to the Windows system 
folder as nawdll32.exe and creates the following registry entries in 
order to run each time a user logs on:

HKLM\SOFTWARE\Microsoft\Ole
nawdll32
"nawdll32.exe"

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
nawdll32
"nawdll32.exe"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
nawdll32
"nawdll32.exe"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
nawdll32
"nawdll32.exe"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
nawdll32
"nawdll32.exe"

HKCU\Software\Microsoft\OLE
nawdll32
"nawdll32.exe"

HKCU\System\CurrentControlSet\Control\Lsa
nawdll32
"nawdll32.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
nawdll32
"nawdll32.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
nawdll32
"nawdll32.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
nawdll32
"nawdll32.exe"

The worm spreads through network shares protected by weak passwords, 
MS-SQL servers and through various operating system vulnerabilities.

W32/Sdbot-ZM connects to a predetermined IRC channel and awaits 
further commands from remote users. The backdoor component of 
W32/Sdbot-ZM can be instructed to perform the following functions:

scan networks for vulnerabilities
download/execute arbitrary files
start an ftp server

Patches for the vulnerabilities exploited by W32/Sdbot-ZM can be 
obtained from Microsoft at:

http://www.microsoft.com/technet/security/bulletin/MS02-039.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx





Name   W32/Randex-Y

Type  
    * Worm

Aliases  
    * WORM_RANDEX.GEN
    * Backdoor.IRCBot.gen

Prevalence (1-5) 2

Description
W32/Randex-Y is a network worm with backdoor capabilities which 
allows a remote intruder to access and control the computer via IRC 
channels.

W32/Randex-Y chooses IP addresses at random and tries to connect to 
the IPC$ share using simple passwords. If the connection is 
successful the worm copies itself to the following remote locations:

\ADMIN$\system32\msnv32.exe
\C$\WINNT\system32\msnv32.exe

W32/Randex-Y then schedules a job to execute the remotely created 
files.

Each time the worm is run it tries to connect to a remote IRC server 
and join a specific channel. The worm then runs in the background as 
a server process listening for commands to execute.

When first run the worm copies itself to the Windows system folder as 
IRBMe.exe and adds the following registry entries to point to this 
copy of the worm to ensure it is run at system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\IRBMe Sucks!!
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\IRBMe Sucks!!

W32/Randex-Y may also create the file remove.bat in the Windows temp 
folder. This file is not malicious and can simply be deleted.





Name   W32/Rbot-AUF

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Installs itself in the Registry

Aliases  
    * W32/Sdbot.worm.gen.l
    * W32.Spybot.Worm
    * WORM_SPYBOT.AHZ

Prevalence (1-5) 2

Description
W32/Rbot-AUF is a worm and IRC backdoor for the Windows platform.

W32/Rbot-AUF runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

Advanced
W32/Rbot-AUF is a worm and IRC backdoor for the Windows platform.

W32/Rbot-AUF runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

When first run W32/Rbot-AUF copies itself to 
<Windows system folder>\msconfig32.exe.

The following registry entries are created to run msconfig32.exe on 
startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MS-patch
msconfig32.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
MS-patch
msconfig32.exe

Registry entries are set as follows:

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1





Name   Troj/Agent-EU

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Steals information
    * Installs itself in the Registry
    * Used in DOS attacks

Aliases  
    * Backdoor.Win32.Agent.oo
    * MultiDropper-JD

Prevalence (1-5) 2

Description
Troj/Agent-EU is a Trojan for the Windows platform.

Troj/Agent-EU can steal information and may attempt to hide its files. 
The Trojan can make contact with a remote internet site, and may be 
used in DDoS attacks.

Advanced
Troj/Agent-EU is a Trojan for the Windows platform.

Troj/Agent-EU can steal information and may attempt to hide its files. 
The Trojan can make contact with a remote internet site, and may be 
used in DDoS attacks.

Troj/Agent-EU may create files named system.exe, libHide.dll, 
systemup.exe and vbstub.exe.

Troj/Agent-EU may create a registry entry in order to run 
automatically on computer login under:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
explorer
<path to Trojan>

 
--- MultiMail/Win32 v0.43
 * Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)