Text 161, 1850 rader
Skriven 2005-12-24 01:14:00 av KURT WISMER (1:123/140)
Ärende: News, December 24 2005
==============================
[cut-n-paste from sophos.com]
Name Troj/Small-FQ
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Trojan-Downloader.Win32.Small.ccj
Prevalence (1-5) 3
Description
Troj/Small-FQ is a Trojan for the Windows platform.
Troj/Small-FQ has the functionality to download, install and run new
software.
Advanced
Troj/Small-FQ is a Trojan for the Windows platform.
Troj/Small-FQ has the functionality to download, install and run new
software.
When run, Troj/Small-FQ creates and runs the file
<Windows>\snake.exe. The file snake.exe is detected by Sophos as
Troj/CashGrab-J.
When run, Troj/Small-FQ sets the following registry entries:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\
Parameters\firewallpolicy\
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
firewallpolicy\standardprofile\
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
firewallpolicy\standardprofile\authorizedapplications\
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
firewallpolicy\standardprofile\authorizedapplications\list\
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
firewallpolicy\standardprofile\authorizedapplications\list
<pathname of the Trojan executable>
<pathname of the Trojan executable>:*:eNableD:GMMM2
Name W32/Bagle-EX
Type
* Worm
How it spreads
* Email attachments
* Web downloads
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Uses its own emailing engine
* Downloads code from the internet
* Reduces system security
Prevalence (1-5) 3
Description
W32/Bagle-EX is an email worm for the Windows platform.
The worm sends email with ZIP file attachments and various subjects
and message texts. At the time of writing, these ZIP files and the
contained EXE files are detected by Sophos's anti-virus products as
Troj/BagleDl-AY.
The email may use one of the following for a message subject:
New Year's
New Year's Day.
Happy New Year
We congratulate happy New Year
The message text may contain either "The password is <image file>" or
"Password: <image file>"
Advanced
W32/Bagle-EX is an email worm for the Windows platform.
When run, W32/Bagle-EX copies itself to the Windows system folder as
wind2ll2.exe and creates the following registry entries:
HKCU\Software\Microsoft\Windows\CurrentVersion\Ru1n
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n
W32/Bagle-EX does not send email to addresses containing the following:
@derewrdgrs
@eerswqe
@messagelab
@microsoft
anyone@
certific
contract@
f-secur
free-av
gold-certs@
google
icrosoft
listserv
nobody@
noone@
noreply
postmaster@
rating@
samples
support
update
winrar
winzip
Email sent by W32/Bagle-EX contains an attached ZIP file with one of
the following names (followed by the ZIP file extension):
Andrew
Androw
Androwe
Anthonie
Anthony
Anthonye
Bennet
Bennet
Bennett
Christean
Christian
Christian
Constance
Daniel
Daniel
Danyell
Dorithie
Dorothee
Dorothy
Edmond
Edmonde
Edmund
Edmund
Edward
Edward
Edwarde
Elizabeth
Elizabeth
Elizabethe
Emanual
Emanuel
Emanuell
Frances
Francis
Francis
Fraunces
Gabriell
Geoffraie
George
Harrye
Henrie
Henrye
Humphrey
Humphrey
Humphrie
Isabel
Isabell
Isabell
Jeames
Jeffrey
Jeffrye
Josias
Judeth
Judith
Judith
Judithe
Katherine
Katherine
Katheryne
Leonard
Leonard
Leonarde
Margaret
Margaret
Margarett
Margerie
Margerye
Margret
Margrett
Martha
Michael
Michael
Mychaell
Nathaniel
Nathaniel
Nathaniell
Nathanyell
Nicholas
Nicholas
Nicholaus
Nycholas
Rebecka
Richard
Richard
Richarde
Robert
Robert
Roberte
Rycharde
Samuell
Sidney
Sindony
Stephen
Susanna
Susanna
Suzanna
Sybell
Sybyll
Syndony
Thomas
Valentyne
William
Winifred
Wynefrede
Wynefreed
Wynnefreede
At the time of writing, these ZIP files and the contained EXE files
are detected by Sophos's anti-virus products as Troj/BagleDl-AY.
The email may use one of the following for a message subject:
New Year's
New Year's Day.
Happy New Year
We congratulate happy New Year
The message text may contain either "The password is <image file>" or
"Password: <image file>"
Name Troj/BagleDl-AS
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Modifies data on the computer
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Trojan.Bagle.BN
Prevalence (1-5) 3
Description
Troj/BagleDl-AS is a Trojan for the Windows platform.
Troj/BagleDl-AS includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
Troj/BagleDl-AS is a Trojan for the Windows platform.
Troj/BagleDl-AS includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run Troj/BagleDl-AS copies itself to \anti_troj.exe.
The following registry entries are created to run anti_troj.exe on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
anti_troj
\anti_troj.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
anti_troj
\anti_troj.exe
Registry entries are created under:
HKCU\Software\FirstRRRun\
Name Troj/Bckdr-E
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
Aliases
* BackDoor-AWQ.b
Prevalence (1-5) 2
Description
Troj/Bckdr-E is a Trojan for the Windows platform.
Advanced
Troj/Bckdr-E is a Trojan for the Windows platform.
When first run Troj/Bckdr-E copies itself to <Windows>\Server2.0.exe.
The file Server2.0.exe is registered as a new system driver service
named "Server2.0", with a display name of "Server2.0" and a startup
type of automatic, so that it is started automatically during system
startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\Server2.0\
Name W32/Rbot-BCQ
Type
* Spyware Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Used in DOS attacks
Aliases
* Backdoor.Win32.Rbot.aeu
Prevalence (1-5) 2
Description
W32/Rbot-BCQ is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Rbot-BCQ spreads:
- to other network computers infected with: Troj/Kuang, Troj/Sub7,
Troj/NetDevil, W32/MyDoom, W32/Bagle and Troj/Optix
- to other network computers by exploiting common buffer overflow
vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012),
WKS (MS03-049) (CAN-2003-0812), WebDav (MS03-007), IIS5SSL (MS04-011)
(CAN-2003-0719), UPNP (MS01-059), Veritas (CAN-2004-1172), Dameware
(CAN-2003-1030) and ASN.1 (MS04-007)
- by copying itself to network shares protected by weak passwords
W32/Rbot-BCQ runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
The following patches for the operating system vulnerabilities
exploited by W32/Rbot-BCQ can be obtained from the Microsoft website:
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx
http://www.microsoft.com/technet/security/bulletin/MS03-049.mspx
http://www.microsoft.com/technet/security/bulletin/MS03-007.mspx
http://www.microsoft.com/technet/security/bulletin/MS01-059.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-007.mspx
Advanced
W32/Rbot-BCQ is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Rbot-BCQ spreads:
- to other network computers infected with: Troj/Kuang, Troj/Sub7,
Troj/NetDevil, W32/MyDoom, W32/Bagle and Troj/Optix
- to other network computers by exploiting common buffer overflow
vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012),
WKS (MS03-049) (CAN-2003-0812), WebDav (MS03-007), IIS5SSL (MS04-011)
(CAN-2003-0719), UPNP (MS01-059), Veritas (CAN-2004-1172), Dameware
(CAN-2003-1030) and ASN.1 (MS04-007)
- by copying itself to network shares protected by weak passwords
W32/Rbot-BCQ runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
When first run W32/Rbot-BCQ copies itself to <System>\winupl.exe.
The following registry entries are created to run winupl.exe on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
DRam prosessor
winupl.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
DRam prosessor
winupl.exe
Registry entries are set as follows:
HKCU\Software\Microsoft\OLE
DRam prosessor
winupl.exe
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
The following patches for the operating system vulnerabilities
exploited by W32/Rbot-BCQ can be obtained from the Microsoft website:
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx
http://www.microsoft.com/technet/security/bulletin/MS03-049.mspx
http://www.microsoft.com/technet/security/bulletin/MS03-007.mspx
http://www.microsoft.com/technet/security/bulletin/MS01-059.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-007.mspx
Name Troj/BagleDl-AR
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/BagleDl-AR is a Trojan for the Windows platform.
Troj/BagleDl-AR includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
Troj/BagleDl-AR is a Trojan for the Windows platform.
Troj/BagleDl-AR includes functionality to access the internet and
communicate with a remote server via HTTP.
Troj/BagleDl-AR may arrive as attachment in the email with the
following message text:
Dear customer.
Thank you for your subscription to http://www.<sitename>.com.
You have been billed as Paycom LLC for the amount of: GBP 24.95 for
30 days then GBP 24.95 recurring every 30 days.
Time: 2005-12-16 10:54:56
Transaction ID: 965658
Amount: GBP 24.95
Applied to Account #: 10915104
Pay Method: VISA
Your new subscription identification number is: 10915104, please
keep this number in a safe place, as it will be required
for reference in all future correspondence regarding your
membership.
Your membership access information is:
Username for your subscription: 112002
Password for your subscription: regina
Membership website: http://www.<sitename>.com
For further details regarding this transaction and direct access to
our online billing support services, available
24-hours a day, 365-days a year, please check your transaction
details in attachment.
Thank you for choosing Paycom as the eMerchant for your
subscription!
Customer Support
****************************************
Billing services provided by Paycom, LLC
Troj/BagleDl-AR attempts to download to the Windows folder and execute
msupdate.exe file. This file is detected as Troj/CashGrab-I.
The following registry entry is set, affecting internet security:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters
\firewallpolicy\standardprofile\authorizedapplications\list
<pathname of the Trojan executable>
<original filename>:*:EnaBleD:cvv2
Name Troj/Agent-GG
Type
* Trojan
Affected operating systems
* Windows
Aliases
* Backdoor.Win32.Agent.ah
* Trojan-Downloader.Win32.PurityScan.d
* W32/Backdoor.ALU
Prevalence (1-5) 2
Description
Troj/Agent-GG is a Trojan for the Windows platform.
Troj/Agent-GG includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
Troj/Agent-GG is a Trojan for the Windows platform.
Troj/Agent-GG includes functionality to access the internet and
communicate with a remote server via HTTP.
When Troj/Agent-GG is installed the following files are created:
<Windows system folder>\vld5750.dll
The file vld5750.dll is registered as a COM object and Browser Helper
Object (BHO) for Microsoft Internet Explorer, creating registry
entries under:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects\{CF021F40-3E14-23A5-CBA2-71766C645750}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects\{CF021F40-3E14-23A5-CBA2-71766C645750}
HKCR\CLSID\{CF021F40-3E14-23A5-CBA2-71766C645750}
HKCR\Interface\{CF021F40-3E14-23A5-CBA2-71766C645750}
HKCR\TypeLib\{CF021F40-3E14-23A5-CBA2-71766C645750}
HKCR\VLD5750.VLD5750.1\
Registry entries are created under:
HKCR\VLD5750.VLD5750\
Name W32/Feebs-A
Type
* Spyware Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Steals information
* Drops more malware
* Reduces system security
* Installs itself in the Registry
* Leaves non-infected files on computer
Prevalence (1-5) 2
Description
W32/Feebs-A is a worm for the Windows platform.
The worm may arrive as an attachment to an email claiming to be sent
via "Protected E-Mail service" with bogus credentials. The message
may lure the recipient into entering the supplied credentials into an
attached HTML document.
W32/Feebs-A also creates several copies of itself in ZIP format in
paths containing "share".
W32/Feebs-A may also harvest information from the infected computer
and send stolen data to a remote user via FTP.
Advanced
W32/Feebs-A is a worm for the Windows platform.
The worm may arrive as an attachment to an email claiming to be sent
via "Protected E-Mail service" with bogus credentials. The message
may lure the recipient into entering the supplied credentials into an
attached HTML document.
The worm copies itself to the Windows system folder as ms<two random
letters>.exe and creates the file ms<random characters>.dll.
W32/Feebs-A also creates several copies of itself in ZIP format in
paths containing "share". The worm uses the following ZIP filenames:
3dsmax_9_(3D_Studio_Max)_new!_full+crack.zip
ACDSee_9_new!_full+crack.zip
Adobe_Photoshop_10_(CS3)_new!_full+crack.zip
Adobe_Premiere_9_(2.0_pro)_new!_full+crack.zip
Ahead_Nero_8_new!_full+crack.zip
DivX_7.0_new!_full+crack.zip
ICQ_2006_new!_full+crack.zip
Internet_Explorer_7_new!_full+crack.zip
Kazaa_4_new!_full+crack.zip
Longhorn_new!_full+crack.zip
Microsoft_Office_2006_new!_full+crack.zip
winamp_5.2_new!_full+crack.zip
W32/Feebs-A may also harvest information from the infected computer
and send stolen data to a remote user via FTP.
The worm modifies registry entries under:
HKCR\CLSID\{<random clsid>}\InprocServer32
(default)
"<System>\<path to worm DLL component>"
HKCU\Software\Policies\Microsoft\WindowsFirewall
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
ShellServiceObjectDelayLoad\
<Worm DLL Component>
"{<random clsid>}"
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall
Name Troj/Banload-BS
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Aliases
* Trojan-Downloader.Win32.Banload.kh
Prevalence (1-5) 2
Description
Troj/Banload-BS is a Trojan downloader for the Windows platform.
Troj/Banload-BS includes functionality to access the internet and
communicate
with a remote server via HTTP.
Name W32/Traxg-G
Type
* Worm
How it spreads
* Email attachments
* Network shares
Affected operating systems
* Windows
Side effects
* Sends itself to email addresses found on the infected computer
* Drops more malware
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* WORM_XDDTRAY.A
* W32.Xddtray@mm
Prevalence (1-5) 2
Description
W32/Traxg-G is a worm for the Windows platform.
W32/Traxg-G includes functionality to spread through emails, network
shares or by coping itself to the drives A and D.
W32/Traxg-G may display the following fake warning message:
Warning
This Folder Has Been Damage!
Advanced
W32/Traxg-G is a worm for the Windows platform.
W32/Traxg-G includes functionality to spread through emails, network
shares or by coping itself to the drives A and D with the filename
Windows.exe.
The worm may add a user account "admin" if it does not already exist.
The worm also may create network shares for local files and folders.
W32/Traxg-G may display the following fake warning message:
Warning
This Folder Has Been Damage!
Registry entries are set as follows:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1
The worm may create the files C:\FOLDER.HTT and nethood.htm. This
file exploits the "Microsoft VM ActiveX Component" vulnerabilty,
associated with certain versions of Microsoft Internet Explorer, to
run further executable code. This vulnerability allows an HTML-based
script to access the file system or registry without any of the usual
security restrictions placed on ActiveX controls. For further
information see Microsoft security bulletin MS00-075.
Name Troj/BagleDl-AP
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Bloodhound.Beagle
* W32/Bagle.gen
Prevalence (1-5) 2
Description
Troj/BagleDl-AP is a downloader Trojan for the Windows platform.
Advanced
Troj/BagleDl-AP is a downloader Trojan for the Windows platform.
Troj/BagleDl-AP includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run Troj/BagleDl-AP copies itself to <System>\anti_troj.exe.
The following registry entries are created to run anti_troj.exe on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
anti_troj
<System>\anti_troj.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
anti_troj
<System>\anti_troj.exe
Registry entries are created under:
HKCU\Software\FirstRRRun\
Name W32/Rbot-AFV
Type
* Spyware Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
Aliases
* Backdoor.Win32.Rbot.sr
Prevalence (1-5) 2
Description
W32/Rbot-AFV is an internet worm and IRC backdoor Trojan for the
Windows platform.
W32/Rbot-AFV spreads to other network computers by exploiting the
buffer overflow vulnerabilites LSASS (MS04-011), RPC-DCOM (MS04-012),
WKS (MS03-049) and MSSQL (MS02-039) and by copying itself to network
shares protected by weak passwords.
W32/Rbot-AFV runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
The following patches for the operating system vulnerabilities
exploited by W32/Rbot-AFV can be obtained from the Microsoft website:
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx
http://www.microsoft.com/technet/security/bulletin/MS03-049.mspx
http://www.microsoft.com/technet/security/bulletin/MS02-039.mspx
Advanced
W32/Rbot-AFV is an internet worm and IRC backdoor Trojan for the
Windows platform.
W32/Rbot-AFV spreads to other network computers by exploiting the
buffer overflow vulnerabilites LSASS (MS04-011), RPC-DCOM (MS04-012),
WKS (MS03-049) and MSSQL (MS02-039) and by copying itself to network
shares protected by weak passwords.
W32/Rbot-AFV runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Rbot-AFV includes functionality to:
- steal confidential information
- carry out DDoS flooder attacks
- silently download, install and run new software, including updates
of its software
When first run W32/Rbot-AFV moves itself to the Windows system folder
using a random filename and creates the following registry entries to
ensure it is run at system logon:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
AIM Instant Message Cookies
<random name>
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
AIM Instant Message Cookies
<random name>
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
AIM Instant Message Cookies
<random name>
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
AIM Instant Message Cookies
<random name>
W32/Rbot-AFV creates the following registry entries:
HKLM\SOFTWARE\Microsoft\Ole
AIM Instant Message Cookies
<random name>
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
AIM Instant Message Cookies
<random name>
HKCU\Software\Microsoft\OLE
AIM Instant Message Cookies
<random name>
HKCU\SYSTEM\CurrentControlSet\Control\Lsa
AIM Instant Message Cookies
<random name>
W32/Rbot-AFV also sets the following registry entries:
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
The following patches for the operating system vulnerabilities
exploited by W32/Rbot-AFV can be obtained from the Microsoft website:
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx
http://www.microsoft.com/technet/security/bulletin/MS03-049.mspx
http://www.microsoft.com/technet/security/bulletin/MS02-039.mspx
Name W32/Bloat-A
Type
* Virus
How it spreads
* Infected files
Affected operating systems
* Windows
Side effects
* Modifies data on the computer
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Bloat-A is a prepending virus for the Windows platform.
Advanced
W32/Bloat-A is a prepending virus for the Windows platform.
When run the virus will create the file <Windows>\svchost.com and
modify the
following registry entry:
HKLM\SOFTWARE\CLASSES\exefile\shell\open\command
(default)
<Windows>\svchost.com "%1 %*"
The infected file will run the original host while it infects other
files on
the computer.
Name Troj/Smwg-A
Type
* Trojan
Affected operating systems
* Windows
Aliases
* Constructor.Win32.SMWG.b
* New
Prevalence (1-5) 2
Description
Troj/Smwg-A is a Trojan for the Windows platform.
Name W32/Sunk-A
Type
* Worm
How it spreads
* Chat programs
* Peer-to-peer
Affected operating systems
* Windows
Aliases
* Virus.Win32.VB.aa
Prevalence (1-5) 2
Description
W32/Sunk-A is a worm for the Windows platform.
The worm will display the following fake error message:
"An unexpected error has occurred on the execution of this file"
W32/Sunk-A will attempt to replace every file on the infected
computer that has the extension EXE with a copy of itself. The worm
will also copy itself to folders known to be used by popular
Peer-To-Peer programs using various names.
W32/Sunk-A will send messages to AIM users with one of the following
messages and a link to a url that contains an executable:
Aim Hacker 1.3 FREE!
Best Aim Password Cracker written by ZeX.
Better then limewire and kazaa put together!
Check my Pics Out!
Check out my music!
Check out my webcam.
Click to join! Better then myspace and xanga!
Cool hacking programs!
Download Aim Optimized 4.9!
Download Dead Aim (5.9+)- NEW!
Download my mp3 i made.
Download My Profile.
Email Hacker Pro 1.5 This is awsome! :)
Free Aim Password Cracker. Use it to hack your friends.
Funniest Clip Ever!
Game Hacker program download here.
Get X-im Chat! Better then AIM!
Hack Webcams and Aim accounts with O-Hax! This is the last day it
will be out
for free!
Have you see this!
INFINITE FREE PICS OF ASIAN HOTTIES!
Join this free music site!
LMAO OMG THIS IS HILARIOUS!
LOL Check these Pics out.
Lol OMG! Someone posted your picture here!
LOL Watch this clip!
LOLOL WTF IS THIS?!
Make your own Profile!
My Xanga!
OMG LOOK IT'S YOU!
Play the new Aim Online game!
See my Beach pictures!!
Take my Quiz!
THE KEY TO HAPPINESS IS LAUGHTER!
This game is badass! Play now!
View My BuddyProfile
Wanna See My Profile!
Advanced
W32/Sunk-A is a worm for the Windows platform.
W32/Sunk-A will copy itself to the following locations:
C:\skunk.exe
C:\Documents and Settings\All Users\Start
Menu\Programs\Startup\Skunk.exe
C:\WINDOWS\system32\Skunk.exe
C:\WINNT\system32\Skunk.exe
A:\Skunk.exe
The worm will also display the following fake error message:
"An unexpected error has occurred on the execution of this file"
W32/Sunk-A will change a large number of registry entries under:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies
W32/Sunk-A will attempt to replace every file on the infected
computer that has the extension EXE with a copy of itself. The worm
will also copy itself to folders known to be used by popular
Peer-To-Peer programs using various names.
W32/Sunk-A will send messages to AIM users with one of the following
messages and a link to a url that contains an executable:
Aim Hacker 1.3 FREE!
Best Aim Password Cracker written by ZeX.
Better then limewire and kazaa put together!
Check my Pics Out!
Check out my music!
Check out my webcam.
Click to join! Better then myspace and xanga!
Cool hacking programs!
Download Aim Optimized 4.9!
Download Dead Aim (5.9+)- NEW!
Download my mp3 i made.
Download My Profile.
Email Hacker Pro 1.5 This is awsome! :)
Free Aim Password Cracker. Use it to hack your friends.
Funniest Clip Ever!
Game Hacker program download here.
Get X-im Chat! Better then AIM!
Hack Webcams and Aim accounts with O-Hax! This is the last day it
will be out
for free!
Have you see this!
INFINITE FREE PICS OF ASIAN HOTTIES!
Join this free music site!
LMAO OMG THIS IS HILARIOUS!
LOL Check these Pics out.
Lol OMG! Someone posted your picture here!
LOL Watch this clip!
LOLOL WTF IS THIS?!
Make your own Profile!
My Xanga!
OMG LOOK IT'S YOU!
Play the new Aim Online game!
See my Beach pictures!!
Take my Quiz!
THE KEY TO HAPPINESS IS LAUGHTER!
This game is badass! Play now!
View My BuddyProfile
Wanna See My Profile!
Name W32/Rbot-BFL
Type
* Spyware Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Records keystrokes
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Used in DOS attacks
Prevalence (1-5) 2
Description
W32/Rbot-BFL is an internet worm and IRC backdoor Trojan for the
Windows platform.
W32/Rbot-BFL spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including: LSASS (MS04-011) and
RPC-DCOM (MS04-012) and by copying itself to network shares protected
by weak passwords.
W32/Rbot-BFL runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Rbot-BFL includes functionality to:
- steal confidential information
- carry out DDoS flooder attacks
- silently download, install and run new software
The following patches for the operating system vulnerabilities
exploited by W32/Rbot-BFL can be obtained from the Microsoft website:
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx
Advanced
W32/Rbot-BFL is an internet worm and IRC backdoor Trojan for the
Windows platform.
W32/Rbot-BFL spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including: LSASS (MS04-011) and
RPC-DCOM (MS04-012) and by copying itself to network shares protected
by weak passwords.
W32/Rbot-BFL runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Rbot-BFL includes functionality to:
- steal confidential information
- carry out DDoS flooder attacks
- silently download, install and run new software
When first run W32/Rbot-BFL moves itself to <System>\BIOSserv.exe.
The following registry entries are created to run BIOSserv.exe on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
BIOS Net Service
BIOSserv.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
BIOS Net Service
BIOSserv.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
BIOS Net Service
BIOSserv.exe
Registry entries are set as follows:
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
The following patches for the operating system vulnerabilities
exploited by W32/Rbot-BFL can be obtained from the Microsoft website:
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx
Name W32/Protorid-AG
Type
* Spyware Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* W32/Protoride.worm
Prevalence (1-5) 2
Description
W32/Protorid-AG is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Protorid-AG spreads to other network computers infected with:
Troj/NetDevil, W32/MyDoom, W32/Bagle and Troj/Optix and by copying
itself to network shares protected by weak passwords.
W32/Protorid-AG runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
Advanced
W32/Protorid-AG is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Protorid-AG spreads to other network computers infected with:
Troj/NetDevil, W32/MyDoom, W32/Bagle and Troj/Optix and by copying
itself to network shares protected by weak passwords.
W32/Protorid-AG runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
When first run W32/Protorid-AG copies itself to the Windows system
folder.
The following registry entry is created to run W32/Protorid-AA on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Taskbar Manager
<System>\<original worm filename>
W32/Protorid-AG may also set the registry entry:
HKLM\Software\BeyonD inDustries\ProtoType[v3]
W32/Protorid-AG copies itself as INTERNAT.EXE to the startup folder
of the available shared network computers:
\WINDOWS\Menu Iniciar\Programas\Iniciar\
\WIN98\Menu Iniciar\Programas\Iniciar\
\WINME\Menu Iniciar\Programas\Iniciar\
\WIN95\Menu Iniciar\Programas\Iniciar\
\WINDOWS.000\Menu Iniciar\Programas\Iniciar\
\WINDOWS\Start Menu\Programs\StartUp\
\WIN98\Start Menu\Programs\StartUp\
\WINME\Start Menu\Programs\StartUp\
\WIN95\Start Menu\Programs\StartUp\
\WINDOWS.000\Start Menu\Programs\StartUp\
\Documents and Settings\All Users\Start Menu\Programs\StartUp\
\Documents and Settings\All Users\Menu Iniciar\Programas\Iniciar\
\Documents and Settings\All Users\Menuen Start\Programmer\Start\
\WINDOWS\Menuen Start\Programmer\Start\
\WIN98\Menuen Start\Programmer\Start\
\WINME\Menuen Start\Programmer\Start\
\WIN95\Menuen Start\Programmer\Start\
\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\
\WINDOWS\Menu Start\Programma's\Opstarten\
\WIN98\Menu Start\Programma's\Opstarten\
\WINME\Menu Start\Programma's\Opstarten\
\WIN95\Menu Start\Programma's\Opstarten\
\Documents and Settings\All Users\Start Menu\Programlar\BASLANGI
\WINDOWS\Start Menu\Programlar\BASLANGI
\WIN98\Start Menu\Programlar\BASLANGI
\WINME\Start Menu\Programlar\BASLANGI
\WIN95\Start Menu\Programlar\BASLANGI
\Documents and Settings\All Users\Menu Start\Programy\Autostart\
\WINDOWS\Menu Start\Programy\Autostart\
\WIN98\Menu Start\Programy\Autostart\
\WINME\Menu Start\Programy\Autostart\
\WIN95\Menu Start\Programy\Autostart\
\Documents and Settings\All Users\Start-Reny\Programmer\Oppstart\
\WINDOWS\Start-Reny\Programmer\Oppstart\
\WIN98\Start-Reny\Programmer\Oppstart\
\WINME\Start-Reny\Programmer\Oppstart\
\WIN95\Start-Reny\Programmer\Oppstart\
\Documents and Settings\All Users\Start-Renyn\Program\Autostart\
\WINDOWS\Start-Renyn\Program\Autostart\
\WIN98\Start-Renyn\Program\Autostart\
\WINME\Start-Renyn\Program\Autostart\
\WIN95\Start-Renyn\Program\Autostart\
\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione
automatica\
\WINDOWS\Menu Avvio\Programmi\Esecuzione automatica\
\WIN98\Menu Avvio\Programmi\Esecuzione automatica\
\WINME\Menu Avvio\Programmi\Esecuzione automatica\
\WIN95\Menu Avvio\Programmi\Esecuzione automatica
Name W32/Sdbot-TQ
Type
* Spyware Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Sdbot-TQ is a network worm with backdoor functionality for the
Windows platform.
The worm spreads through network shares protected by weak passwords.
When copying itself across the network, W32/Sdbot-TQ uses the
filename msgfix.exe.
The backdoor component joins an IRC channel and awaits further
commands from a remote user.
Advanced
W32/Sdbot-TQ is a network worm with backdoor functionality for the
Windows platform.
When first run, W32/Sdbot-TQ copies itself to the Windows system
folder as WindowsSP2.exe and creates the following registry entries
in order to run each time a user logs on:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Windows Service Pack 2
WindowsSP2.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Windows Service Pack 2
WindowsSP2.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Windows Service Pack 2
WindowsSP2.exe
The worm spreads through network shares protected by weak passwords.
When copying itself across the network, W32/Sdbot-TQ uses the
filename msgfix.exe.
The backdoor component joins an IRC channel and awaits further
commands from a remote user. W32/Sdbot-TQ can then be instructed to
perform the following:
download/execute arbitrary files
take part in distributed denial of service (DDoS) attacks
perform proxy server functionality
modify the system registry
steal product registration information for certain software
Name W32/Bobax-N
Type
* Virus
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Sends itself to email addresses found on the infected computer
* Drops more malware
* Forges the sender's email address
* Uses its own emailing engine
* Installs itself in the Registry
Aliases
* Net-Worm.Win32.Bobic.d
* W32.Bobax.Z@mm
* W32.Proxed
Prevalence (1-5) 2
Description
W32/Bobax-N is an email virus for the Windows platform.
W32/Bobax-N has the ability to infect executable files.
W32/Bobax-N can send itself to email addresses harvested from the
infected computer.
W32/Bobax-N attempts to contact a number of preconfigured internet
sites in order to report successful infection.
Emails sent by the worm have the following characteristics:
Subject line:
Cool
Captured..
He has been captured..
Finally! Captured
Finally
God Bless the USA!
Message text (chosen from):
Saddam Hussein - Attempted Escape, Shot dead
Attached some pics that i found
Osama Bin Laden Captured.
Attached some pics that i found
Testing
Secret!
Hey,
Remember this?
Hello,
Long time! Check this out!
Hey,
I was going through my album, and look what I found..
Hey,
Check this out :-)
+++ Attachment: No Virus found
+++ Panda AntiVirus - You are protected
+++ www.pandasoftware.com
+++ Attachment: No Virus found
+++ Norman AntiVirus - You are protected
+++ www.norman.com
+++ Attachment: No Virus found
+++ F-Secure AntiVirus - You are protected
+++ www.f-secure.com
+++ Attachment: No Virus found
+++ Norton AntiVirus - You are protected
+++ www.symantec.com
"Turn on your TV.
Osama Bin Laden has been captured.
While CNN has no pictures at this point of time, the military channel
(PPV) rele
ased some pictures.
I managed to capture a couple of these pictures off my TV.
Ive attached a slideshow containing all the pictures I managed to
capture.
I apologize for the low quality, its the best I could do at this
point of time.
Hopefully CNN will have pictures and a video soon.
God bless the USA!"
Possible attached filename stubs:
pics
funny
bush
joke
secret
Possible attached file extensions:
pif
exe
scr
zip
W32/Bobax-N also attempts to disable the Windows firewall and
attempts to suppress Windows security warnings.
Advanced
W32/Bobax-N is an email virus for the Windows platform.
W32/Bobax-N has the ability to infect executable files.
W32/Bobax-N can send itself to email addresses harvested from the
infected computer.
W32/Bobax-N attempts to contact a number of preconfigured internet
sites in order to report successful infection.
Emails sent by the worm have the following characteristics:
Subject line:
Cool
Captured..
He has been captured..
Finally! Captured
Finally
God Bless the USA!
Message text (chosen from):
Saddam Hussein - Attempted Escape, Shot dead
Attached some pics that i found
Osama Bin Laden Captured.
Attached some pics that i found
Testing
Secret!
Hey,
Remember this?
Hello,
Long time! Check this out!
Hey,
I was going through my album, and look what I found..
Hey,
Check this out :-)
+++ Attachment: No Virus found
+++ Panda AntiVirus - You are protected
+++ www.pandasoftware.com
+++ Attachment: No Virus found
+++ Norman AntiVirus - You are protected
+++ www.norman.com
+++ Attachment: No Virus found
+++ F-Secure AntiVirus - You are protected
+++ www.f-secure.com
+++ Attachment: No Virus found
+++ Norton AntiVirus - You are protected
+++ www.symantec.com
"Turn on your TV.
Osama Bin Laden has been captured.
While CNN has no pictures at this point of time, the military channel
(PPV) rele
ased some pictures.
I managed to capture a couple of these pictures off my TV.
Ive attached a slideshow containing all the pictures I managed to
capture.
I apologize for the low quality, its the best I could do at this
point of time.
Hopefully CNN will have pictures and a video soon.
God bless the USA!"
Possible attached filename stubs:
pics
funny
bush
joke
secret
Possible attached file extensions:
pif
exe
scr
zip
W32/Bobax-N may copy itself to the Windows system folder with a
random lowercase filename and may create the following registry entry
in order to run automatically on computer login:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
<random>
<System>\<worm filename>
The dropper component of the worm creates a DLL in a temporary folder
and injects this DLL into the Shell_Tray process. The DLL contains
the spreading functionality of the worm and can disable mouse and
keyboard input to process enumeration windows. Thus the worm may
disable the Task Manager window.
W32/Bobax-N may set the following registry entries to disable the
Windows firewall and automatic security notifications:
HKLM\SOFTWARE\Microsoft\Security Center
FirewallOverride
1
HKLM\SOFTWARE\Microsoft\Security Center
FirewallDisableNotify
1
HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusDisableNotify
1
HKLM\SOFTWARE\Microsoft\Security Center
UpdatesDisableNotify
1
W32/Bobax-N also attempts to execute the following commands:
netsh.exe firewall set opmode mode=disable profile=all
sc.exe config SharedAccess start= disabled
Name W32/Tilebot-GS
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Modifies data on the computer
* Drops more malware
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* WORM_SDBOT.CWF
* W32/Tilebot-Gen
Prevalence (1-5) 2
Description
W32/Tilebot-GS is a worm and IRC backdoor for the Windows platform.
W32/Tilebot-GS spreads to other network computers by exploiting
common buffer overflow vulnerabilities, including: LSASS
(http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx),
RPC-DCOM
(http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx),
WKS
(http://www.microsoft.com/technet/security/bulletin/MS03-049.mspx)
(CAN-2003-0812), PNP
(http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx)
and ASN.1
(http://www.microsoft.com/technet/security/bulletin/MS04-007.mspx)
and by copying itself to network shares protected by weak passwords.
W32/Tilebot-GS runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Tilebot-GS includes functionality to access the internet and
communicate with a remote server via HTTP.
The following patches for the vulnerabilities exploited by
W32/Tilebot-GS are available from Microsoft:
http://www.microsoft.com/technet/security/bulletin/MS03-049.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-007.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx
http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx
Advanced
W32/Tilebot-GS is a worm and IRC backdoor for the Windows platform.
W32/Tilebot-GS spreads to other network computers by exploiting
common buffer overflow vulnerabilities, including: LSASS
(http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx),
RPC-DCOM
(http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx),
WKS
(http://www.microsoft.com/technet/security/bulletin/MS03-049.mspx)
(CAN-2003-0812), PNP
(http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx)
and ASN.1
(http://www.microsoft.com/technet/security/bulletin/MS04-007.mspx)
and by copying itself to network shares protected by weak passwords.
W32/Tilebot-GS runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Tilebot-GS includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run W32/Tilebot-GS copies itself to <Windows
folder>\nvidcgui.exe and creates the file <Windows system
folder>\remon.sys.
The file remon.sys is detected as Troj/RKFu-A.
The file nvidcgui.exe is registered as a new system driver service
named "pxlmdl", with a display name of "PixelModule" and a startup
type of automatic, so that it is started automatically during system
startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\pxlmdl\
The file remon.sys is registered as a new system driver service named
"remon", with a display name of "remon". Registry entries are created
under:
HKLM\SYSTEM\CurrentControlSet\Services\remon\
The following registry entries are set, disabling the registry editor
(regedit) and the Windows task manager (taskmgr):
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
W32/Tilebot-GS sets the following registry entries, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4
Registry entries are set as follows:
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
Registry entries are created under:
HKLM\SOFTWARE\Microsoft\Security Center\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\
The following patches for the vulnerabilities exploited by
W32/Tilebot-GS are available from Microsoft:
http://www.microsoft.com/technet/security/bulletin/MS03-049.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-007.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx
http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx
--- MultiMail/Win32 v0.43
* Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)
|