Tillbaka till svenska Fidonet
English   Information   Debug  
TRAPDOOR   0/19
TREK   0/755
TUB   0/290
UFO   0/40
UNIX   0/1316
USA_EURLINK   0/102
USR_MODEMS   0/1
VATICAN   0/2740
VIETNAM_VETS   0/14
VIRUS   0/378
VIRUS_INFO   0/201
VISUAL_BASIC   0/473
WHITEHOUSE   0/5187
WIN2000   0/101
WIN32   0/30
WIN95   0/4289
WIN95_OLD1   0/70272
WINDOWS   0/1517
WWB_SYSOP   0/419
WWB_TECH   0/810
ZCC-PUBLIC   0/1
ZEC   4

 
4DOS   0/134
ABORTION   0/7
ALASKA_CHAT   0/506
ALLFIX_FILE   0/1313
ALLFIX_FILE_OLD1   0/7997
ALT_DOS   0/152
AMATEUR_RADIO   0/1039
AMIGASALE   0/14
AMIGA   0/331
AMIGA_INT   0/1
AMIGA_PROG   0/20
AMIGA_SYSOP   0/26
ANIME   0/15
ARGUS   0/924
ASCII_ART   0/340
ASIAN_LINK   0/651
ASTRONOMY   0/417
AUDIO   0/92
AUTOMOBILE_RACING   0/105
BABYLON5   0/17862
BAG   135
BATPOWER   0/361
BBBS.ENGLISH   0/382
BBSLAW   0/109
BBS_ADS   0/5290
BBS_INTERNET   0/507
BIBLE   0/3563
BINKD   0/1119
BINKLEY   0/215
BLUEWAVE   0/2173
CABLE_MODEMS   0/25
CBM   0/46
CDRECORD   0/66
CDROM   0/20
CLASSIC_COMPUTER   0/378
COMICS   0/15
CONSPRCY   0/899
COOKING   33421
COOKING_OLD1   0/24719
COOKING_OLD2   0/40862
COOKING_OLD3   0/37489
COOKING_OLD4   0/35496
COOKING_OLD5   9370
C_ECHO   0/189
C_PLUSPLUS   0/31
DIRTY_DOZEN   0/201
DOORGAMES   0/2065
DOS_INTERNET   0/196
duplikat   6002
ECHOLIST   0/18295
EC_SUPPORT   0/318
ELECTRONICS   0/359
ELEKTRONIK.GER   1534
ENET.LINGUISTIC   0/13
ENET.POLITICS   0/4
ENET.SOFT   0/11701
ENET.SYSOP   33945
ENET.TALKS   0/32
ENGLISH_TUTOR   0/2000
EVOLUTION   0/1335
FDECHO   0/217
FDN_ANNOUNCE   0/7068
FIDONEWS   24159
FIDONEWS_OLD1   0/49742
FIDONEWS_OLD2   0/35949
FIDONEWS_OLD3   0/30874
FIDONEWS_OLD4   0/37224
FIDO_SYSOP   12852
FIDO_UTIL   0/180
FILEFIND   0/209
FILEGATE   0/212
FILM   0/18
FNEWS_PUBLISH   4436
FN_SYSOP   41706
FN_SYSOP_OLD1   71952
FTP_FIDO   0/2
FTSC_PUBLIC   0/13613
FUNNY   0/4886
GENEALOGY.EUR   0/71
GET_INFO   105
GOLDED   0/408
HAM   0/16074
HOLYSMOKE   0/6791
HOT_SITES   0/1
HTMLEDIT   0/71
HUB203   466
HUB_100   264
HUB_400   39
HUMOR   0/29
IC   0/2851
INTERNET   0/424
INTERUSER   0/3
IP_CONNECT   719
JAMNNTPD   0/233
JAMTLAND   0/47
KATTY_KORNER   0/41
LAN   0/16
LINUX-USER   0/19
LINUXHELP   0/1155
LINUX   0/22112
LINUX_BBS   0/957
mail   18.68
mail_fore_ok   249
MENSA   0/341
MODERATOR   0/102
MONTE   0/992
MOSCOW_OKLAHOMA   0/1245
MUFFIN   0/783
MUSIC   0/321
N203_STAT   930
N203_SYSCHAT   313
NET203   321
NET204   69
NET_DEV   0/10
NORD.ADMIN   0/101
NORD.CHAT   0/2572
NORD.FIDONET   189
NORD.HARDWARE   0/28
NORD.KULTUR   0/114
NORD.PROG   0/32
NORD.SOFTWARE   0/88
NORD.TEKNIK   0/58
NORD   0/453
OCCULT_CHAT   0/93
OS2BBS   0/787
OS2DOSBBS   0/580
OS2HW   0/42
OS2INET   0/37
OS2LAN   0/134
OS2PROG   0/36
OS2REXX   0/113
OS2USER-L   207
OS2   0/4786
OSDEBATE   0/18996
PASCAL   0/490
PERL   0/457
PHP   0/45
POINTS   0/405
POLITICS   0/29554
POL_INC   0/14731
PSION   103
R20_ADMIN   1123
R20_AMATORRADIO   0/2
R20_BEST_OF_FIDONET   13
R20_CHAT   0/893
R20_DEPP   0/3
R20_DEV   399
R20_ECHO2   1379
R20_ECHOPRES   0/35
R20_ESTAT   0/719
R20_FIDONETPROG...
...RAM.MYPOINT
  0/2
R20_FIDONETPROGRAM   0/22
R20_FIDONET   0/248
R20_FILEFIND   0/24
R20_FILEFOUND   0/22
R20_HIFI   0/3
R20_INFO2   3249
R20_INTERNET   0/12940
R20_INTRESSE   0/60
R20_INTR_KOM   0/99
R20_KANDIDAT.CHAT   42
R20_KANDIDAT   28
R20_KOM_DEV   112
R20_KONTROLL   0/13300
R20_KORSET   0/18
R20_LOKALTRAFIK   0/24
R20_MODERATOR   0/1852
R20_NC   76
R20_NET200   245
R20_NETWORK.OTH...
...ERNETS
  0/13
R20_OPERATIVSYS...
...TEM.LINUX
  0/44
R20_PROGRAMVAROR   0/1
R20_REC2NEC   534
R20_SFOSM   0/341
R20_SF   0/108
R20_SPRAK.ENGLISH   0/1
R20_SQUISH   107
R20_TEST   2
R20_WORST_OF_FIDONET   12
RAR   0/9
RA_MULTI   106
RA_UTIL   0/162
REGCON.EUR   0/2056
REGCON   0/13
SCIENCE   0/1206
SF   0/239
SHAREWARE_SUPPORT   0/5146
SHAREWRE   0/14
SIMPSONS   0/169
STATS_OLD1   0/2539.065
STATS_OLD2   0/2530
STATS_OLD3   0/2395.095
STATS_OLD4   0/1692.25
SURVIVOR   0/495
SYSOPS_CORNER   0/3
SYSOP   0/84
TAGLINES   0/112
TEAMOS2   0/4530
TECH   0/2617
TEST.444   0/105
Möte VIRUS, 378 texter
 lista första sista föregående nästa
Text 154, 2028 rader
Skriven 2005-11-06 09:57:00 av KURT WISMER (1:123/140)
Ärende: News, November 6 2005
=============================
[cut-n-paste from sophos.com]

Name   Troj/BagleDl-AB

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Installs itself in the Registry

Prevalence (1-5) 3

Description
Troj/BagleDl-AB is a Trojan for the Windows platform.

When first run Troj/BagleDl-AB copies itself to 
<System>\hloader_exe.exe and creates the file 
<System>\hloader_dll.dll. Both these files are detected as 
Troj/BagleDl-AB.

Advanced
Troj/BagleDl-AB is a Trojan for the Windows platform.

When first run Troj/BagleDl-AB copies itself to 
<System>\hloader_exe.exe and creates the file 
<System>\hloader_dll.dll. Both these files are detected as 
Troj/BagleDl-AB.

Troj/BagleDl-AB attempts to inject the dropped file hloader_dll.dll 
into the process explorer.exe.

The following registry entries are created to run hloader_exe.exe on 
startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
auto__hloader__key
<System>\hloader_exe.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
auto__hloader__key
<System>\hloader_exe.exe

Troj/BagleDl-AB attempts to download and execute files from a number 
of remote websites.





Name   Troj/BagleDl-Y

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Drops more malware
    * Downloads code from the internet
    * Installs itself in the Registry

Aliases  
    * W32/Bagle.gen

Prevalence (1-5) 3

Description
Troj/BagleDl-Y downloads files from a number of remote websites and 
executes them.

Advanced
Troj/BagleDl-Y is a downloading Trojan for the Windows platform.

When first run Troj/BagleDl-Y copies itself to 
<System>\hloader_exe.exe and creates the file 
<System>\hleader_dll.dll. Both these files are detected as 
Troj/BagleDl-Y.

The following registry entries are created to run hloader_exe.exe on 
startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
auto__hloader__key
<System>\hloader_exe.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
auto__hloader__key
<System>\hloader_exe.exe

Troj/BagleDl-Y attempts to download and execute files from a number 
of remote websites.





Name   Troj/BagleDl-AA

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Deletes files off the computer
    * Reduces system security
    * Installs itself in the Registry
    * Dropped by malware

Aliases  
    * Email-Worm.Win32.Bagle.eh
    * W32/Bagle.gen

Prevalence (1-5) 3

Description
Troj/BagleDl-AA is a Trojan for the Windows platform.

Troj/BagleDl-AA attempts to terminate processes and services, delete 
files and registry entries, and block access to URLs related to 
anti-virus and security programs.

Advanced
Troj/BagleDl-AA is a Trojan for the Windows platform.

When first run Troj/BagleDl-AA copies itself to 
<System>\antiav_exe.exe and creates the file <System>\antiav_dll.dll. 
Both these files are detected as Troj/BagleDl-AA.

Troj/BagleDl-AA attempts to inject the dropped file antiav_dll.dll 
into the process explorer.exe.

The following registry entries are created to run antiav_exe.exe on 
startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
auto__antiav__key
<System>\antiav_exe.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
auto__antiav__key
<System>\antiav_exe.exe

Troj/BagleDl-AA attempts to terminate several processes and services 
related to anti-virus and security programs, to delete related files, 
to modify C:\boot.ini to delete related files on system startup, to 
block access to related websites, to delete related registry entries, 
and to delete registry entries at the folling location to stop 
related files from running on system startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run

HKCU\Software\Microsoft\Windows\CurrentVersion\
Run





Name   Troj/BagleDl-Z

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Drops more malware
    * Downloads code from the internet
    * Installs itself in the Registry

Aliases  
    * W32/Bagle.gen

Prevalence (1-5) 3

Description
Troj/BagleDl-Z downloads files from a number of remote websites and 
executes them.

Advanced
Troj/BagleDl-Z is a downloading Trojan for the Windows platform.

When first run Troj/BagleDl-Z copies itself to 
<System>\hloader_exe.exe and creates the file 
<System>\hleader_dll.dll. Both these files are detected as 
Troj/BagleDl-Z.

The following registry entries are created to run hloader_exe.exe on 
startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
auto__hloader__key
<System>\hloader_exe.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
auto__hloader__key
<System>\hloader_exe.exe

Troj/BagleDl-Z attempts to download and execute files from a number 
of remote websites.





Name   W32/Mytob-FH

Type  
    * Worm

How it spreads  
    * Email attachments

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Modifies data on the computer
    * Forges the sender's email address
    * Uses its own emailing engine
    * Reduces system security

Prevalence (1-5) 3

Description
W32/Mytob-FH is a mass-mailing worm and IRC backdoor Trojan for the 
Windows platform.

W32/Mytob-FH runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

Emails sent by the worm have characteristics from the following:

Subject line:
Your password has been updated
Your password has been successfully updated
You have successfully updated your password
Your new account password is approved
Your Account is Suspended
*DETECTED* Online User Violation
Your Account is Suspended For Security Reasons
Warning Message: Your services near to be closed.
Important Notification
Members Support
Security measures
Email Account Suspension
Notice of account limitation
<random characters>

Message text - a formatted version of one of the following:
Dear user <recipient's username>,

You have successfully updated the password of your 
<recipient's domain> account.

If you did not authorize this change or if you need assistance with 
your account, please contact <recipient's domain> customer service at: <spoofed
sender address>

Thank you for using <recipient's domain>!
The <recipient's domain> Support Team <BR>

+++ Attachment: No Virus (Clean)
+++ <recipient's domain> Antivirus - www.<recipient's domain>

Dear user <recipient's username>,

It has come to our attention that your <recipient's domain> User 
Profile ( x ) records are out of date. For further details see the 
attached document.

Thank you for using <recipient's domain>!
The <recipient's domain> Support Team

+++ Attachment: No Virus (Clean)
+++ <recipient's domain> Antivirus - www.<recipient's domain>

Dear <recipient's username> Member,

We have temporarily suspended your email account <recipient's domain>.

This might be due to either of the following reasons:

1. A recent change in your personal information (i.e. change of 
address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of 
subscription due to an internal error within our processors.
See the details to reactivate your <recipient's domain> account.

Sincerely,The <recipient's domain> Support Team

+++ Attachment: No Virus (Clean)
+++ <recipient's domain> Antivirus - www.<recipient's domain>

Dear <recipient's domain> Member,

Your e-mail account was used to send a huge amount of unsolicited 
spam messages during the recent week. If you could please take 5-10 
minutes out of your online experience and confirm the attached 
document so you will not run into any future problems with the online 
service.

If you choose to ignore our request, you leave us no choice but to 
cancel your membership.

Virtually yours,
The <recipient's domain> Support Team

+++ Attachment: No Virus found
+++ <recipient's domain> Antivirus - www.<recipent's domain>

Attachment name:
updated-password
email-password
new-password
password
approved-password
account-password
accepted-password
important-details
account-details
email-details
account-info
document
readme
account-report

First extension (of attachment or of file inside zip):
doc
htm
txt

Second extension (of attachment or of file inside zip):
pif
scr
exe
cmd
bat

If the attachment is a zip file it will have the same base name as 
the double-extension file inside.

Advanced
W32/Mytob-FH is a mass-mailing worm and IRC backdoor Trojan for the 
Windows platform.

W32/Mytob-FH runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

Emails sent by the worm have characteristics from the following:

Subject line:
Your password has been updated
Your password has been successfully updated
You have successfully updated your password
Your new account password is approved
Your Account is Suspended
*DETECTED* Online User Violation
Your Account is Suspended For Security Reasons
Warning Message: Your services near to be closed.
Important Notification
Members Support
Security measures
Email Account Suspension
Notice of account limitation
<random characters>

Message text - a formatted version of one of the following:
Dear user <recipient's username>,

You have successfully updated the password of your 
<recipient's domain> account.

If you did not authorize this change or if you need assistance with 
your account, please contact <recipient's domain> customer service at: 
<spoofed sender address>

Thank you for using <recipient's domain>!
The <recipient's domain> Support Team <BR>

+++ Attachment: No Virus (Clean)
+++ <recipient's domain> Antivirus - www.<recipient's domain>

Dear user <recipient's username>,

It has come to our attention that your <recipient's domain> User 
Profile ( x ) records are out of date. For further details see the 
attached document.

Thank you for using <recipient's domain>!
The <recipient's domain> Support Team

+++ Attachment: No Virus (Clean)
+++ <recipient's domain> Antivirus - www.<recipient's domain>

Dear <recipient's username> Member,

We have temporarily suspended your email account <recipient's domain>.

This might be due to either of the following reasons:

1. A recent change in your personal information (i.e. change of 
address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of 
subscription due to an internal error within our processors.
See the details to reactivate your <recipient's domain> account.

Sincerely,The <recipient's domain> Support Team

+++ Attachment: No Virus (Clean)
+++ <recipient's domain> Antivirus - www.<recipient's domain>

Dear <recipient's domain> Member,

Your e-mail account was used to send a huge amount of unsolicited 
spam messages during the recent week. If you could please take 5-10 
minutes out of your online experience and confirm the attached 
document so you will not run into any future problems with the online 
service.

If you choose to ignore our request, you leave us no choice but to 
cancel your membership.

Virtually yours,
The <recipient's domain> Support Team

+++ Attachment: No Virus found
+++ <recipient's domain> Antivirus - www.<recipent's domain>

Attachment name:
updated-password
email-password
new-password
password
approved-password
account-password
accepted-password
important-details
account-details
email-details
account-info
document
readme
account-report

First extension (of attachment or of file inside zip):
doc
htm
txt

Second extension (of attachment or of file inside zip):
pif
scr
exe
cmd
bat

If the attachment is a zip file it will have the same base name as 
the double-extension file inside.

Example attachment names include document.txt.pif and 
information.doc.cmd, usually with a large number of spaces between 
the extensions.

The following registry entries are created:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NAMEDPIPE SYSTEM
\namedpipe.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
NAMEDPIPE SYSTEM
\namedpipe.exe

W32/Mytob-FH sets the following registry entries, disabling the 
automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4

Note: disabling autostart for the SharedAccess service deactivates 
the Microsoft Internet Connection Firewall (ICF).

W32/Mytob-FH modifies the HOSTS file, changing the URL-to-IP mappings 
for selected websites, therefore preventing normal access to these 
sites. The new HOSTS file will typically contain the following:

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 pandasoftware.com
127.0.0.1 www.pandasoftware.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.microsoft.com
127.0.0.1 microsoft.com
127.0.0.1 www.virustotal.com
127.0.0.1 virustotal.com
127.0.0.1 www.amazon.com
127.0.0.1 www.amazon.co.uk
127.0.0.1 www.amazon.ca
127.0.0.1 www.amazon.fr
127.0.0.1 www.paypal.com
127.0.0.1 paypal.com
127.0.0.1 moneybookers.com
127.0.0.1 www.moneybookers.com
127.0.0.1 www.ebay.com
127.0.0.1 ebay.com





Name   Troj/BagleDl-W

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet
    * Installs itself in the Registry

Prevalence (1-5) 3

Description
Troj/BagleDl-W is a Trojan for the Windows platform.

Advanced
Troj/BagleDl-W is a Trojan for the Windows platform.

When first run Troj/BagleDl-W copies itself to 
<Windows system folder>\hloader_exe.exe and creates the file 
<Windows system folder>\hloader_dll.dll. Both these files are 
detected as Troj/BagleDl-W.

Troj/BagleDl-W attempts to inject the dropped file hloader_dll.dll 
into the process explorer.exe.

The following registry entries are created to run hloader_exe.exe on 
startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
auto__hloader__key
<Windows system folder>\hloader_exe.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
auto__hloader__key
<Windows system folder>\hloader_exe.exe

Troj/BagleDl-W attempts to download and execute files from a number 
of remote websites.





Name   W32/Mytob-FF

Type  
    * Worm

How it spreads  
    * Email attachments

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Sends itself to email addresses found on the infected computer
    * Forges the sender's email address
    * Uses its own emailing engine
    * Downloads code from the internet

Prevalence (1-5) 3

Description
W32/Mytob-FF is a mass-mailing worm and IRC backdoor Trojan.

W32/Mytob-FF runs continuously in the background, providing a backdoor server
which allows a remote intruder to gain access and control over the computer via
IRC channels, including the ability to download and execute files on the
infected computer.

W32/Mytob-FF can spread by sending itself as an email attachment to 
email addresses it harvests from the infected computer, either as an 
attachment with a double-extension or as a zip file containing a file 
with a double-extension. W32/Mytob-FF avoids sending emails to 
addresses containing certain strings in them.

W32/Mytob-FF processes the emails it has harvested by splitting them 
into name and domain. Once it has sent itself to the emails it has 
harvested, it uses a predefined list of names with the harvested 
domains. W32/Mytob-FF spoofs the sender, sending emails as if from 
one of the following at the same domain as the recipient:

support
administrator
mail
service
admin
info
register
webmaster

For example if sending itself to name@example.com, W32/Mytob-FF might 
send the email as if from admin@example.com.

Emails sent by the worm have characteristics from the following:

Subject line:
Your password has been updated
Your password has been successfully updated
You have successfully updated your password
Your new account password is approved
Your Account is Suspended
*DETECTED* Online User Violation
Your Account is Suspended For Security Reasons
Warning Message: Your services near to be closed.
Important Notification
Members Support
Security measures
Email Account Suspension
Notice of account limitation
<random characters>

Message text - a formatted version of one of the following:
Dear user <recipient's username>,

You have successfully updated the password of your <recipient's domain> 
account.

If you did not authorize this change or if you need assistance with 
your account, please contact <recipient's domain> customer service at: 
<spoofed sender address>

Thank you for using <recipient's domain>!
The <recipient's domain> Support Team <BR>

+++ Attachment: No Virus (Clean)
+++ <recipient's domain> Antivirus - www.<recipient's domain>

Dear user <recipient's username>,

It has come to our attention that your <recipient's domain> User 
Profile ( x ) records are out of date. For further details see the 
attached document.

Thank you for using <recipient's domain>!
The <recipient's domain> Support Team

+++ Attachment: No Virus (Clean)
+++ <recipient's domain> Antivirus - www.<recipient's domain>

Dear <recipient's username> Member,

We have temporarily suspended your email account <recipient's domain>.

This might be due to either of the following reasons:

1. A recent change in your personal information (i.e. change of 
address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of 
subscription due to an internal error within our processors.
See the details to reactivate your <recipient's domain> account.

Sincerely,The <recipient's domain> Support Team

+++ Attachment: No Virus (Clean)
+++ <recipient's domain> Antivirus - www.<recipient's domain>

Dear <recipient's domain> Member,

Your e-mail account was used to send a huge amount of unsolicited 
spam messages during the recent week. If you could please take 5-10 
minutes out of your online experience and confirm the attached 
document so you will not run into any future problems with the online 
service.

If you choose to ignore our request, you leave us no choice but to 
cancel your membership.

Virtually yours,
The <recipient's domain> Support Team

+++ Attachment: No Virus found
+++ <recipient's domain> Antivirus - www.<recipent's domain>

Attachment name:
updated-password
email-password
new-password
password
approved-password
account-password
accepted-password
important-details
account-details
email-details
account-info
document
readme
account-report
<randomly named>

First extension (of attachment or of file inside zip):
doc
htm
txt

Second extension (of attachment or of file inside zip):
pif
scr
exe
cmd
bat

If the attachment is a zip file it will have the same base name as 
the double-extension file inside.

Example attachment names include document.txt.pif and 
information.doc.cmd, usually with a large number of spaces between 
the extensions.

W32/Mytob-FF modifies the Windows hosts file in order to block access 
to certain security-related websites.

Advanced
W32/Mytob-FF is a mass-mailing worm and IRC backdoor Trojan.

W32/Mytob-FF runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels, including the ability to 
download and execute files on the infected computer.

When first run W32/Mytob-FF attempts to copy itself to 
<System>\pipe.exe.

The following registry entries are created to run pipe.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
PIPE SYSTEM
pipe.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
PIPE SYSTEM
pipe.exe

W32/Mytob-FF sets the following registry entries, disabling the 
automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4

Note: disabling autostart for the SharedAccess service deactivates 
the Microsoft Internet Connection Firewall (ICF).

W32/Mytob-FF can spread by sending itself as an email attachment to 
email addresses it harvests from the infected computer, either as an 
attachment with a double-extension or as a zip file containing a file 
with a double-extension. W32/Mytob-FF avoids sending emails to 
addresses containing certain strings in them.

W32/Mytob-FF processes the emails it has harvested by splitting them 
into name and domain. Once it has sent itself to the emails it has 
harvested, it uses a predefined list of names with the harvested 
domains. W32/Mytob-FF spoofs the sender, sending emails as if from 
one of the following at the same domain as the recipient:

support
administrator
mail
service
admin
info
register
webmaster

For example if sending itself to name@example.com, W32/Mytob-FF might 
send the email as if from admin@example.com.

Emails sent by the worm have characteristics from the following:

Subject line:
Your password has been updated
Your password has been successfully updated
You have successfully updated your password
Your new account password is approved
Your Account is Suspended
*DETECTED* Online User Violation
Your Account is Suspended For Security Reasons
Warning Message: Your services near to be closed.
Important Notification
Members Support
Security measures
Email Account Suspension
Notice of account limitation
<random characters>

Message text - a formatted version of one of the following:
Dear user <recipient's username>,

You have successfully updated the password of your <recipient's domain> 
account.

If you did not authorize this change or if you need assistance with 
your account, please contact <recipient's domain> customer service at: 
<spoofed sender address>

Thank you for using <recipient's domain>!
The <recipient's domain> Support Team <BR>

+++ Attachment: No Virus (Clean)
+++ <recipient's domain> Antivirus - www.<recipient's domain>

Dear user <recipient's username>,

It has come to our attention that your <recipient's domain> User 
Profile ( x ) records are out of date. For further details see the 
attached document.

Thank you for using <recipient's domain>!
The <recipient's domain> Support Team

+++ Attachment: No Virus (Clean)
+++ <recipient's domain> Antivirus - www.<recipient's domain>

Dear <recipient's username> Member,

We have temporarily suspended your email account <recipient's domain>.

This might be due to either of the following reasons:

1. A recent change in your personal information (i.e. change of 
address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of 
subscription due to an internal error within our processors.
See the details to reactivate your <recipient's domain> account.

Sincerely,The <recipient's domain> Support Team

+++ Attachment: No Virus (Clean)
+++ <recipient's domain> Antivirus - www.<recipient's domain>

Dear <recipient's domain> Member,

Your e-mail account was used to send a huge amount of unsolicited 
spam messages during the recent week. If you could please take 5-10 
minutes out of your online experience and confirm the attached 
document so you will not run into any future problems with the online 
service.

If you choose to ignore our request, you leave us no choice but to 
cancel your membership.

Virtually yours,
The <recipient's domain> Support Team

+++ Attachment: No Virus found
+++ <recipient's domain> Antivirus - www.<recipent's domain>

Attachment name:
updated-password
email-password
new-password
password
approved-password
account-password
accepted-password
important-details
account-details
email-details
account-info
document
readme
account-report
<randomly named>

First extension (of attachment or of file inside zip):
doc
htm
txt

Second extension (of attachment or of file inside zip):
pif
scr
exe
cmd
bat

If the attachment is a zip file it will have the same base name as 
the double-extension file inside.

Example attachment names include document.txt.pif and 
information.doc.cmd, usually with a large number of spaces between 
the extensions.

W32/Mytob-FF attempts to terminate a large number of processes 
related to security and anti-virus programs including REGEDIT.EXE, 
MSCONFIG.EXE and NETSTAT.EXE.

W32/Mytob-FF modifies the Windows hosts file in order to block access 
to the following security-related websites:

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 pandasoftware.com
127.0.0.1 www.pandasoftware.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.microsoft.com
127.0.0.1 microsoft.com
127.0.0.1 www.virustotal.com
127.0.0.1 virustotal.com
127.0.0.1 www.amazon.com
127.0.0.1 www.amazon.co.uk
127.0.0.1 www.amazon.ca
127.0.0.1 www.amazon.fr
127.0.0.1 www.paypal.com
127.0.0.1 paypal.com
127.0.0.1 moneybookers.com
127.0.0.1 www.moneybookers.com
127.0.0.1 www.ebay.com
127.0.0.1 ebay.com





Name   Troj/Dagonit-A

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Drops more malware
    * Installs itself in the Registry

Aliases  
    * Trojan.Win32.Agent.jh

Prevalence (1-5) 2

Description
Troj/Dagonit-A is a multicomponent backdoor Trojan for the Windows 
platform that allows unauthorized remote access through the randomly 
open TCP port.

The Trojan creates a user account with the name Service thas is used 
by the intruder to take over a control of the infected computer.

Advanced
Troj/Dagonit-A is a multicomponent backdoor Trojan for the Windows 
platform that allows unauthorized remote access through the randomly 
open TCP port.

The Trojan creates a user account with the name Service thas is used 
by the intruder to take over a control of the infected computer.

When Troj/Dagonit-A is installed the following files are created:

<current folder>\dali.reg
<current folder>\dalia2.exe
<current folder>\system.bat
<current folder>\winspool.exe
<current folder>\wpap.exe

where wpap.exe is detected as Troj/Wpap-A.

Troj/Dagonit-A may attempt to replace an original winspool.exe with 
the Trojan file.

Troj/Dagonit-A sets a number of registry entries including the 
following:

HKLM\System\CurrentControlSet\Services\RDSessMgr
Start
2
HKLM\System\CurrentControlSet\Services\TermService
Start
2
HKLM\System\CurrentControlSet\Services\TlntSvr
Start
2
HKLM\System\CurrentControlSet\Services\lanmanserver
Start
2

Thus making sure that the following services are started at the 
restart:

Remote Desktop Help Session Manager
Terminal Services
Telnet
Server

Also the Trojan sets the following registry entries in attempt to 
modify security settings:

HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
fDenyTSConnections
0
TSAdvertise
1
IdleWinStationPoolCount
1
TSAppCompat
1
TSEnabled
1
TSUserEnabled
1

HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Licensing Core
EnableConcurrentSessions
0

HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Licensing Core
\WinStations\RDP-Tcp
fEnableWinStation
1
MaxInstanceCount
-1

Troj/Dagonit-A may attempt to delete the following files:

<System>\dllcashe\winlogon.exe
<System>\dllcashe\termsrv.dll
<System>\dllcashe\mstscax.dll





Name   W32/Rbot-AUQ

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Aliases  
    * Backdoor.Win32.Rbot.ahj
    * WORM_SDBOT.CFL

Prevalence (1-5) 2

Description
W32/Rbot-AUQ is a worm and IRC backdoor for the Windows platform.

W32/Rbot-AUQ runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

W32/Rbot-AUQ may spread to network shares protected by weak passwords 
or by exploiting the following system vulnerabilities: LSASS 
(MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049), PNP (MS05-039), ASN.1 
(MS04-007).

Advanced
W32/Rbot-AUQ is a worm and IRC backdoor for the Windows platform.

W32/Rbot-AUQ runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

W32/Rbot-AUQ may spread to network shares protected by weak passwords 
or by exploiting the following system vulnerabilities: LSASS 
(MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049), PNP (MS05-039), ASN.1 
(MS04-007).

When first run W32/Rbot-AUQ copies itself to 
<Windows system folder>\winsv.exe.

The following registry entries are created to run winsv.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Windows Spools SV
winsv.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Spools SV
winsv.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
Windows Spools SV
winsv.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Windows Spools SV
winsv.exe

Registry entries are set as follows:

HKCU\SYSTEM\CurrentControlSet\Control\Lsa
Windows Spools SV
winsv.exe

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
Windows Spools SV
winsv.exe

HKCU\Software\Microsoft\OLE
Windows Spools SV
winsv.exe

HKLM\SOFTWARE\Microsoft\Ole
Windows Spools SV
winsv.exe





Name   W32/Poebot-P

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Aliases  
    * Backdoor.Win32.SdBot.aho
    * W32.Linkbot.M
    * WORM_RBOT.CFU

Prevalence (1-5) 2

Description
W32/Poebot-P is a worm for the Windows platform.

Advanced
W32/Poebot-P is a worm for the Windows platform.

When first run W32/Poebot-P copies itself to <System>\iexplore.exe 
and creates the file jotji.bat in the current folder. The file 
jotji.bat harmless on its own and can be safely removed.

W32/Poebot-P will attempt to connect to a remote URL and may spread 
through network shares protected by weak passwords and other exploits 
including:

LSASS (MS04-011)
RPC-DCOM (MS04-012)
WKS (MS03-049) (CAN-2003-0812)
WebDav (MS03-007)
Veritas (CAN-2004-1172)
Dameware (CAN-2003-1030)
PNP (MS05-039)
ASN.1 (MS04-007)

The following registry entry is created to run iexplore.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Internet Explorer
<System>\iexplore.exe





Name   Troj/ParDrop-A

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Drops more malware

Aliases  
    * Trojan.Win32.Small.da
    * Trojan.Win32.Small.cz
    * TROJ_SMALL.RX

Prevalence (1-5) 2

Description
Troj/ParDrop-A is a dropper Trojan for the Windows platform.

When first run, Troj/ParDrop-A creates the following files (these 
files have their read-only, hidden file attributes set):

<System>\explore.exe - detected as Troj/ParDrop-A
<Temp>\<random filename>.tmp - detected as Troj/ParDrop-A
<System>\inetinfo.exe - detected as W32/Parite-B
<System>\svids.dll - data file which may be safely deleted

Troj/ParDrop-A then attempts to load the W32/Parite-B virus by 
running the file <System>\inetinfo.exe.

Advanced
Troj/ParDrop-A is a dropper Trojan for the Windows platform.

When first run, Troj/ParDrop-A creates the following files (these 
files have their read-only, hidden file attributes set):

<System>\explore.exe - detected as Troj/ParDrop-A
<Temp>\<random filename>.tmp - detected as Troj/ParDrop-A
<System>\inetinfo.exe - detected as W32/Parite-B
<System>\svids.dll - data file which may be safely deleted

Troj/ParDrop-A then attempts to load the W32/Parite-B virus by 
running the file <System>\inetinfo.exe.

Troj/ParDrop-A also sets the following registry entry to run the 
W32/Parite-B virus:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
System
<System>\inetinfo.exe





Name   Troj/Goldun-AK

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Steals information
    * Drops more malware
    * Reduces system security
    * Records keystrokes
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
Troj/Goldun-AK is a Trojan for the Windows platform.

The Trojan steals login credentials entered into web forms related to 
certain financial institutions.

Advanced
Troj/Goldun-AK is a Trojan for the Windows platform.

When run, Troj/Goldun-AK creates the file mside.dll. The file 
mside.dll is registered as a COM object and Browser Helper Object 
(BHO) for Microsoft Internet Explorer, creating registry entries under:

HKCR\CLSID\{13146842-6251-5625-3072-548536364311}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
Objects\{13146842-6251-5625-3072-548536364311}

The Trojan steals login credentials entered into web forms related to 
certain financial institutions.





Name   W32/Rbot-AWB

Type  
    * Spyware Worm

How it spreads  
    * Network shares
    * Chat programs

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Modifies data on the computer
    * Deletes files off the computer
    * Steals information
    * Downloads code from the internet

Prevalence (1-5) 2

Description
W32/Rbot-AWB is a network worm with backdoor Trojan functionality for 
the Windows platform.

W32/Rbot-AWB can be controlled by a remote attacker over IRC channels. 
The backdoor component of W32/Rbot-AWB can be instructed by a 
remote user to perform various functions.

W32/Rbot-AWB spreads using a variety of techniques including:
-exploiting weak passwords on computers and SQL servers
-exploiting operating system vulnerabilities (including PnP [MS05-039]) 
and using backdoors opened by other worms or Trojans.
-by sending download links through the AOL Instant Messenger (AIM) 
client to online "buddies"

Advanced
W32/Rbot-AWB is a network worm with backdoor Trojan functionality for 
the Windows platform.

The worm copies itself to a file named msniu.exe in the Windows 
system folder and creates the following registry entries:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MSN Messenger 32
"msniu.exe"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MSN Messenger 32
"msniu.exe"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
MSN Messenger 32
"msniu.exe"

W32/Rbot-AWB can be controlled by a remote attacker over IRC channels. 
The backdoor component of W32/Rbot-AWB can be instructed by a remote 
user to perform the following functions:

start an FTP server
start a Proxy server
start a web server
take part in distributed denial of service (DDoS) attacks
log keypresses
capture screen/webcam images
packet sniffing
port scanning
download/execute arbitrary files
start a remote shell (RLOGIN)
steal product registration information from certain software

W32/Rbot-AWB spreads using a variety of techniques including:
-exploiting weak passwords on computers and SQL servers
-exploiting operating system vulnerabilities (including PnP [MS05-039]) 
and using backdoors opened by other worms or Trojans.
-by sending download links through the AOL Instant Messenger (AIM) 
client to online "buddies"





Name   W32/Oscabot-N

Type  
    * Worm

How it spreads  
    * Chat programs

Affected operating systems  
    * Windows

Prevalence (1-5)

Description
W32/Oscabot-N is an instant messaging worm that can exploit users of 
AOL Instant Messaging clients.

W32/Oscabot-N will attempt to locate the Aim application and use it 
to send web links to other users.





Name   W32/Tilebot-AP

Type  
    * Spyware Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Allows others to access the computer
    * Modifies data on the computer
    * Deletes files off the computer
    * Steals information

Prevalence (1-5) 2

Description
W32/Tilebot-AP is a worm which attempts to spread to remote network 
shares. It also contains backdoor Trojan functionality, allowing 
unauthorized remote access to the infected computer via IRC channels.

W32/Tilebot-AP spreads to network shares with weak passwords as a 
result of the backdoor Trojan element receiving the appropriate 
command from a remote user. The worm can spread to unpatched 
computers vulnerable to the following exploits:

ASN.1 (MS04-007)
LSASS (MS04-011)
PNP (MS05-039)
RPC-DCOM (MS04-012)

W32/Tilebot-AP attempts to remove network shares from the infected 
computer, as well as changing the policy for SeNetworkLogonRight for 
the computer.

W32/Tilebot-AP may attempt to contact scripts on remote sites.

Advanced
W32/Tilebot-AP is a worm which attempts to spread to remote network 
shares. It also contains backdoor Trojan functionality, allowing 
unauthorized remote access to the infected computer via IRC channels.

W32/Tilebot-AP spreads to network shares with weak passwords as a 
result of the backdoor Trojan element receiving the appropriate 
command from a remote user. The worm can spread to unpatched 
computers vulnerable to the following exploits:

ASN.1 (MS04-007)
LSASS (MS04-011)
PNP (MS05-039)
RPC-DCOM (MS04-012)

W32/Tilebot-AP copies itself to the Windows folder with the filename 
ipconfig32.exe and creates a service named "IPtable" with a start up 
type of automatic, causing the service to be run each time Windows 
starts.

W32/Tilebot-AP allows a remote user to perform a wide range of 
actions on the infected computer including downloading further files, 
setting registry entries and stealing information from the computer 
including from protected storage areas.

W32/Tilebot-AP attempts to terminate services with the following 
names in order to disrupt various security processes including the 
Windows firewall and Windows critical updates:

Tlntsvr
RemoteRegistry
Messenger
SharedAccess
wscsvc

W32/Tilebot-AP attempts to set the following registry entries to 
disrupt various security processes:

HKLM\SOFTWARE\Microsoft\Security Center
UpdatesDisableNotify
1

HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusDisableNotify
1

HKLM\SOFTWARE\Microsoft\Security Center
FirewallDisableNotify
1

HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusOverride
1

HKLM\SOFTWARE\Microsoft\Security Center
FirewallOverride
1

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall
0

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall
0

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\
AutoUpdate
AUOptions
1

HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restictanonymous
1

HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareWks
0

HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareServer
0

HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
AutoShareWks
0

HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
AutoShareServer
0

HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAlloxXPSP2
1

HKLM\SOFTWARE\Microsoft\OLE
EnableDCOM
"N"

W32/Tilebot-AP may also set entries in the registry at the following 
locations:

HKLM\SYSTEM\CurrentControlSet\Control\
WaitToKillServiceTimeout

W32/Tilebot-AP attempts to remove network shares from the infected 
computer, as well as changing the policy for SeNetworkLogonRight for 
the computer.

W32/Tilebot-AP may attempt to contact scripts on remote sites.

The following registry entries are created as a result of registering 
the system service:

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IPTABLE
<several entries>

HKLM\SYSTEM\CurrentControlSet\Services\IPtable
<several entries>





Name   W32/Esbot-B

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Installs itself in the Registry

Aliases  
    * Backdoor.Win32.IRCBot.es
    * W32/IRCbot.worm.gen
    * Backdoor.Trojan

Prevalence (1-5) 2

Description
W32/Esbot-B is a worm and IRC backdoor Trojan for the Windows platform.

W32/Esbot-B will connect to an IRC channel and wait for instructions.

Advanced
W32/Esbot-B is a worm and IRC backdoor Trojan for the Windows platform.

W32/Esbot-B will connect to an IRC channel and wait for instructions.

When first run W32/Esbot-B copies itself to <Windows>\services32.exe.

The file services32.exe is registered as a new system driver service 
named "Content List Management Sub System", with a display name of 
"services32" and a startup type of automatic, so that it is started 
automatically during system startup. Registry entries are created 
under:

HKLM\SYSTEM\CurrentControlSet\Services\Content List Management Sub System\

The following registry entry is set:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions
Melt
<pathname of the Trojan executable>





Name   W32/Bagle-BS

Type  
    * Worm

How it spreads  
    * Email attachments

Affected operating systems  
    * Windows

Side effects  
    * Forges the sender's email address
    * Uses its own emailing engine
    * Downloads code from the internet
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
W32/Bagle-BS is a worm for the Windows platform.

W32/Bagle-BS sends a ZIP file as an email attachment. The ZIP file 
contains an executable detected as Troj/BagleDl-W. When run, this 
executable attempts to download further files, which may include 
copies of the original worm W32/Bagle-BS.

W32/Bagle-BS may download and run further malicious code, storing the 
downloaded file as re_file.exe in the Windows system folder.

Messages sent by W32/Bagle-BS have the following characteristics. The 
subject line is blank. The message text is chosen to be one of the 
following lines:

info
texte
The password is <image>
Password: <image>

The attachment name is chosen from the following:

Business.zip
Business_dealing.zip
Health_and_knowledge.zip
Info_prices.zip
max.zip
sms_text.zip
text_sms.zip
The_new_prices.zip

The worm will avoid sending emails to addresses containing any of the 
following strings:

@derewrdgrs
@eerswqe
@messagelab
@microsoft
anyone@
certific
contract@
f-secur
free-av
gold-certs@
google
icrosoft
listserv
nobody@
noone@
noreply
postmaster@
rating@
samples
support
update
winrar
winzip

Advanced
W32/Bagle-BS is a worm for the Windows platform.

W32/Bagle-BS sends a ZIP file as an email attachment. The ZIP file 
contains an executable detected as Troj/BagleDl-W. When run, this 
executable attempts to download further files, which may include 
copies of the original worm W32/Bagle-BS.

W32/Bagle-BS may download and run further malicious code, storing the 
downloaded file as re_file.exe in the Windows system folder.

Messages sent by W32/Bagle-BS have the following characteristics. The 
subject line is blank. The message text is chosen to be one of the 
following lines:

info
texte
The password is <image>
Password: <image>

The attachment name is chosen from the following:

Business.zip
Business_dealing.zip
Health_and_knowledge.zip
Info_prices.zip
max.zip
sms_text.zip
text_sms.zip
The_new_prices.zip

The worm will avoid sending emails to addresses containing any of the 
following strings:

@derewrdgrs
@eerswqe
@messagelab
@microsoft
anyone@
certific
contract@
f-secur
free-av
gold-certs@
google
icrosoft
listserv
nobody@
noone@
noreply
postmaster@
rating@
samples
support
update
winrar
winzip

When first run W32/Bagle-BS copies itself to <System>\windll2.exe. 
The following registry entries are created:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n
erthegdr
<System>\windll2.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Ru1n
erthegdr
<System>\windll2.exe

W32/Bagle-BS attempts to delete registry entries from the following 
locations:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n

HKCU\Software\Microsoft\Windows\CurrentVersion\Ru1n

Entries are deleted if they have any of the following names:

9XHtProtect
Antivirus
EasyAV
FirewallSvr
HtProtect
ICQ Net
ICQNet
Jammer2nd
KasperskyAVEng
MsInfo
My AV
Norton Antivirus AV
PandaAVEngine
service
SkynetsRevenge
Special Firewall Service
SysMonXP
Tiny AV
Zone Labs Client Ex

W32/Bagle-BS terminates the following processes:

1t1epad.exe
t1es1t.exe





Name   Troj/WowPWS-A

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Steals information
    * Installs itself in the Registry

Aliases  
    * PWSteal.Wowcraft.B
    * BackDoor-CUQ

Prevalence (1-5) 2

Description
Troj/WowPWS-A is a password stealing Trojan for the Windows platform.

Troj/WowPWS-A targets the online game World of Warcraft, and attempts 
to steal account details.

Advanced
Troj/WowPWS-A is a password stealing Trojan for the Windows platform.

Troj/WowPWS-A targets the online game World of Warcraft, and attempts 
to steal account details.

When first run Troj/WowPWS-A copies itself to the following locations:

<Windows folder>\smss.exe
<Windows folder>\finder.com
<Windows folder>\explorer.com
<Windows folder>\exeroute.exe
<Windows folder>\1.com
<Windows system folder>\msconfig.com
<Windows system folder>\rundll32.com
<Windows system folder>\command.pif
<Windows system folder>\dxdiag.com
<Windows system folder>\regedit.com
<Windows system folder>\finder.com
<Windows folder>Debug\DebugProgram.exe
<Program Files>\Internet Explorer\iexplor.com
<Program Files>\Common Files\iexplore.pif

Troj/WowPWS-A sets the following registry entries to start the 
various copies of itself:

HKCR\winfiles\Shell\Open\Command
<Windows folder>\exeroute.exe "%1" %*

HKLM\SOFTWARE\Clients\StartMenuInternet\iexplore.pif
LocalizedString
iexplore

HKLM\SOFTWARE\Clients\StartMenuInternet\iexplore.pif\shell\open\command
<Program Files>\Common Files\iexplore.pif

HKLM\SOFTWARE\Windows\CurrentVersion\Run
Torjan Program
<Windows folder>\smss.exe





Name   W32/Mytob-FI

Type  
    * Worm

How it spreads  
    * Email attachments

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Allows others to access the computer
    * Sends itself to email addresses found on the infected computer
    * Forges the sender's email address

Aliases  
    * Net-Worm.Win32.Mytob.bm
    * W32.Mytob.EE@mm

Prevalence (1-5) 2

Description
W32/Mytob-FI is a mass-mailing worm and backdoor Trojan that can be 
controlled through the Internet Relay Chat (IRC) network.

W32/Mytob-FI spreads through email. W32/Mytob-FI harvests email 
addresses from files on the infected computer and from the Windows 
address book. Email sent by W32/Mytob-FI has the following properties:

Subject line:

Your password has been updated
Your password has been successfully updated
You have successfully updated your passworq
Your new account password is approved
Your Account is Suspended
*DETECTED* Online User Violation
Your Account is Suspended For Security Reasons
Warning Message: Your services near to be closed.
Important Notification
Members Support
Security measures
Email Account Suspension
Notice of account limitation

Message text:

Dear user <str>,
You have successfully updated the password of your <str> account.
If you did not authorize this change or if you need assistance with 
your account, please contact <str> customer service at: <str>
Thank you for using <str>!
The <str> Support Team
+++ Attachment: No Virus (Clean)
+++ <str> Antivirus - www.<str>

Dear user <str>,
It has come to our attention that your <str> User Profile ( x ) 
records are out of date. For further details see the attached document.
Thank you for using <str>!
The <str> Support Team
+++ Attachment: No Virus (