Tillbaka till svenska Fidonet
English   Information   Debug  
TRAPDOOR   0/19
TREK   0/755
TUB   0/290
UFO   0/40
UNIX   0/1316
USA_EURLINK   0/102
USR_MODEMS   0/1
VATICAN   0/2740
VIETNAM_VETS   0/14
VIRUS   0/378
VIRUS_INFO   0/201
VISUAL_BASIC   0/473
WHITEHOUSE   0/5187
WIN2000   0/101
WIN32   0/30
WIN95   0/4289
WIN95_OLD1   0/70272
WINDOWS   0/1517
WWB_SYSOP   0/419
WWB_TECH   0/810
ZCC-PUBLIC   0/1
ZEC   4

 
4DOS   0/134
ABORTION   0/7
ALASKA_CHAT   0/506
ALLFIX_FILE   0/1313
ALLFIX_FILE_OLD1   0/7997
ALT_DOS   0/152
AMATEUR_RADIO   0/1039
AMIGASALE   0/14
AMIGA   0/331
AMIGA_INT   0/1
AMIGA_PROG   0/20
AMIGA_SYSOP   0/26
ANIME   0/15
ARGUS   0/924
ASCII_ART   0/340
ASIAN_LINK   0/651
ASTRONOMY   0/417
AUDIO   0/92
AUTOMOBILE_RACING   0/105
BABYLON5   0/17862
BAG   135
BATPOWER   0/361
BBBS.ENGLISH   0/382
BBSLAW   0/109
BBS_ADS   0/5290
BBS_INTERNET   0/507
BIBLE   0/3563
BINKD   0/1119
BINKLEY   0/215
BLUEWAVE   0/2173
CABLE_MODEMS   0/25
CBM   0/46
CDRECORD   0/66
CDROM   0/20
CLASSIC_COMPUTER   0/378
COMICS   0/15
CONSPRCY   0/899
COOKING   33421
COOKING_OLD1   0/24719
COOKING_OLD2   0/40862
COOKING_OLD3   0/37489
COOKING_OLD4   0/35496
COOKING_OLD5   9370
C_ECHO   0/189
C_PLUSPLUS   0/31
DIRTY_DOZEN   0/201
DOORGAMES   0/2065
DOS_INTERNET   0/196
duplikat   6002
ECHOLIST   0/18295
EC_SUPPORT   0/318
ELECTRONICS   0/359
ELEKTRONIK.GER   1534
ENET.LINGUISTIC   0/13
ENET.POLITICS   0/4
ENET.SOFT   0/11701
ENET.SYSOP   33945
ENET.TALKS   0/32
ENGLISH_TUTOR   0/2000
EVOLUTION   0/1335
FDECHO   0/217
FDN_ANNOUNCE   0/7068
FIDONEWS   24159
FIDONEWS_OLD1   0/49742
FIDONEWS_OLD2   0/35949
FIDONEWS_OLD3   0/30874
FIDONEWS_OLD4   0/37224
FIDO_SYSOP   12852
FIDO_UTIL   0/180
FILEFIND   0/209
FILEGATE   0/212
FILM   0/18
FNEWS_PUBLISH   4436
FN_SYSOP   41706
FN_SYSOP_OLD1   71952
FTP_FIDO   0/2
FTSC_PUBLIC   0/13613
FUNNY   0/4886
GENEALOGY.EUR   0/71
GET_INFO   105
GOLDED   0/408
HAM   0/16074
HOLYSMOKE   0/6791
HOT_SITES   0/1
HTMLEDIT   0/71
HUB203   466
HUB_100   264
HUB_400   39
HUMOR   0/29
IC   0/2851
INTERNET   0/424
INTERUSER   0/3
IP_CONNECT   719
JAMNNTPD   0/233
JAMTLAND   0/47
KATTY_KORNER   0/41
LAN   0/16
LINUX-USER   0/19
LINUXHELP   0/1155
LINUX   0/22112
LINUX_BBS   0/957
mail   18.68
mail_fore_ok   249
MENSA   0/341
MODERATOR   0/102
MONTE   0/992
MOSCOW_OKLAHOMA   0/1245
MUFFIN   0/783
MUSIC   0/321
N203_STAT   930
N203_SYSCHAT   313
NET203   321
NET204   69
NET_DEV   0/10
NORD.ADMIN   0/101
NORD.CHAT   0/2572
NORD.FIDONET   189
NORD.HARDWARE   0/28
NORD.KULTUR   0/114
NORD.PROG   0/32
NORD.SOFTWARE   0/88
NORD.TEKNIK   0/58
NORD   0/453
OCCULT_CHAT   0/93
OS2BBS   0/787
OS2DOSBBS   0/580
OS2HW   0/42
OS2INET   0/37
OS2LAN   0/134
OS2PROG   0/36
OS2REXX   0/113
OS2USER-L   207
OS2   0/4786
OSDEBATE   0/18996
PASCAL   0/490
PERL   0/457
PHP   0/45
POINTS   0/405
POLITICS   0/29554
POL_INC   0/14731
PSION   103
R20_ADMIN   1123
R20_AMATORRADIO   0/2
R20_BEST_OF_FIDONET   13
R20_CHAT   0/893
R20_DEPP   0/3
R20_DEV   399
R20_ECHO2   1379
R20_ECHOPRES   0/35
R20_ESTAT   0/719
R20_FIDONETPROG...
...RAM.MYPOINT
  0/2
R20_FIDONETPROGRAM   0/22
R20_FIDONET   0/248
R20_FILEFIND   0/24
R20_FILEFOUND   0/22
R20_HIFI   0/3
R20_INFO2   3249
R20_INTERNET   0/12940
R20_INTRESSE   0/60
R20_INTR_KOM   0/99
R20_KANDIDAT.CHAT   42
R20_KANDIDAT   28
R20_KOM_DEV   112
R20_KONTROLL   0/13300
R20_KORSET   0/18
R20_LOKALTRAFIK   0/24
R20_MODERATOR   0/1852
R20_NC   76
R20_NET200   245
R20_NETWORK.OTH...
...ERNETS
  0/13
R20_OPERATIVSYS...
...TEM.LINUX
  0/44
R20_PROGRAMVAROR   0/1
R20_REC2NEC   534
R20_SFOSM   0/341
R20_SF   0/108
R20_SPRAK.ENGLISH   0/1
R20_SQUISH   107
R20_TEST   2
R20_WORST_OF_FIDONET   12
RAR   0/9
RA_MULTI   106
RA_UTIL   0/162
REGCON.EUR   0/2056
REGCON   0/13
SCIENCE   0/1206
SF   0/239
SHAREWARE_SUPPORT   0/5146
SHAREWRE   0/14
SIMPSONS   0/169
STATS_OLD1   0/2539.065
STATS_OLD2   0/2530
STATS_OLD3   0/2395.095
STATS_OLD4   0/1692.25
SURVIVOR   0/495
SYSOPS_CORNER   0/3
SYSOP   0/84
TAGLINES   0/112
TEAMOS2   0/4530
TECH   0/2617
TEST.444   0/105
Möte VIRUS, 378 texter
 lista första sista föregående nästa
Text 172, 1805 rader
Skriven 2006-01-21 11:58:00 av KURT WISMER (1:123/140)
Ärende: News, January 21 2006
=============================
[cut-n-paste from sophos.com]

Name   Troj/Banload-IJ

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet

Aliases  
    * Trojan-Downloader.Win32.Banload.fc

Prevalence (1-5) 2

Description
Troj/Banload-IJ is a Trojan for the Windows platform.

Troj/Banload-IJ includes functionality to download, install and run 
new software.

Will try to download to C:\windows\spoolsv.exe.





Name   W32/Sdbot-AMF

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Modifies data on the computer
    * Downloads code from the internet
    * Exploits system or software vulnerabilities

Prevalence (1-5) 2

Description
W32/Sdbot-AMF is an internet worm and IRC backdoor Trojan for the 
Windows platform.

W32/Sdbot-AMF runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain 
access and control over the computer via IRC channels.

W32/Sdbot-AMF includes functionality to silently download, install 
and run new software.

Advanced
W32/Sdbot-AMF is an internet worm and IRC backdoor Trojan for the 
Windows platform.

W32/Sdbot-AMF spreads to other network computers by exploiting common 
buffer overflow vulnerabilities, including: 
LSASS (MS04-011), RPC-DCOM (MS04-012), PNP (MS05-039) and ASN.1 
(MS04-007) and by copying itself to network shares 
protected by weak passwords.

W32/Sdbot-AMF runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain 
access and control over the computer via IRC channels.

W32/Sdbot-AMF includes functionality to silently download, install 
and run new software.

The following patches for the operating system vulnerabilities 
exploited by W32/Sdbot-AMF can be obtained from the 
Microsoft website:

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx
http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-007.mspx





Name   W32/Mytob-GO

Type  
    * Worm

How it spreads  
    * Email attachments

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Sends itself to email addresses found on the infected computer
    * Forges the sender's email address
    * Uses its own emailing engine
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities
    * Used in DOS attacks

Prevalence (1-5) 2

Description
W32/Mytob-GO is a mass-mailing worm and backdoor Trojan that can be 
controlled through the Internet Relay Chat (IRC) 
network.

W32/Mytob-GO runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain 
access and control over the computer via IRC channels.

W32/Mytob-GO spreads to other network computers by exploiting common 
buffer overflow vulnerabilities, including: LSASS 
(MS04-011) and ASN.1 (MS04-007)

W32/Mytob-GO sends emails in the following format, with details 
filled in to make the email look more authentic:

Subject line chosen from:

*WARNING* Your email account is suspended
You are banned!!!
*DETECTED* Online User Violation
Important Notification
Your Account is Suspended For Security Reasons
Your Account is Suspended
Warning Message: Your services near to be closed.
Members Support
We have suspended your account
Security measures
Email Account Suspension
Notice of account limitation

Message text chosen from (the worm will insert the username and the 
email domain of the addressee into the email):

"Some information about your account is attached."

"Dear Member,

Your e-mail account was used to send a huge amount of unsolicited 
spam messages during the recent week.
If you could please take 5-10 minutes out of your online experience 
and confirm the attached document so you will not 
run into any future problems with the online service.

Virtually yours,
The Support Team"

"Dear Member,

We have temporarily suspended your email account .

This might be due to either of the following reasons:

1. A recent change in your personal information (i.e. change of 
address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of 
subscription due to an internal error within our 
processors.

See the attached details to reactivate your account.

Sincerely,The Support Team"

The attached file consists of a base name followed by the extension 
ZIP. The worm may optionally create double 
extensions where the first extension is DOC, TXT or HTM and the final 
extension is BAT, CMD, PIF, SCR, EXE or ZIP. The 
base filenames are randomly chosen from:

important-details
account-details
email-details
account-info
information
readme
account-report
<random characters>

The zip file will contain the worm with double extension. The first 
extension will be one of DOC, HTM, TXT followed by 
spaces and the second extension is EXE, SCR or PIF.

W32/Mytob-GO harvests email addresses from files on the infected 
computer and from the Windows address book.

Advanced
W32/Mytob-GO is a mass-mailing worm and backdoor Trojan that can be 
controlled through the Internet Relay Chat (IRC) 
network.

W32/Mytob-GO runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain 
access and control over the computer via IRC channels.

W32/Mytob-GO spreads to other network computers by exploiting common 
buffer overflow vulnerabilities, including: LSASS 
(MS04-011) and ASN.1 (MS04-007)

When first run W32/Mytob-GO copies itself to <System>\svchosts.exe.

The following registry entries are created to run svchosts.exe on 
startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
Win32 Driver
svchosts.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Win32 Driver
svchosts.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Win32 Driver
svchosts.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Win32 Driver
svchosts.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Win32 Driver
svchosts.exe

W32/Mytob-GO sends emails in the following format, with details 
filled in to make the email look more authentic:

Subject line chosen from:

*WARNING* Your email account is suspended
You are banned!!!
*DETECTED* Online User Violation
Important Notification
Your Account is Suspended For Security Reasons
Your Account is Suspended
Warning Message: Your services near to be closed.
Members Support
We have suspended your account
Security measures
Email Account Suspension
Notice of account limitation

Message text chosen from (the worm will insert the username and the 
email domain of the addressee into the email):

"Some information about your account is attached."

"Dear Member,

Your e-mail account was used to send a huge amount of unsolicited 
spam messages during the recent week.
If you could please take 5-10 minutes out of your online experience 
and confirm the attached document so you will not 
run into any future problems with the online service.

Virtually yours,
The Support Team"

"Dear Member,

We have temporarily suspended your email account .

This might be due to either of the following reasons:

1. A recent change in your personal information (i.e. change of 
address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of 
subscription due to an internal error within our 
processors.

See the attached details to reactivate your account.

Sincerely,The Support Team"

The attached file consists of a base name followed by the extension 
ZIP. The worm may optionally create double 
extensions where the first extension is DOC, TXT or HTM and the final 
extension is BAT, CMD, PIF, SCR, EXE or ZIP. The 
base filenames are randomly chosen from:

important-details
account-details
email-details
account-info
information
readme
account-report
<random characters>

The zip file will contain the worm with double extension. The first 
extension will be one of DOC, HTM, TXT followed by 
spaces and the second extension is EXE, SCR or PIF.

W32/Mytob-GO harvests email addresses from files on the infected 
computer and from the Windows address book.





Name   Troj/RuinDl-K

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet
    * Installs itself in the Registry

Aliases  
    * Trojan.Win32.Small.fb

Prevalence (1-5) 2

Description
Troj/RuinDl-K is a Trojan for the Windows platform.

Advanced
Troj/RuinDl-K is a Trojan for the Windows platform.

When first run Troj/RuinDl-K copies itself to <System>\dmcoj.exe.

The following registry entry is created to run dmcoj.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
dmcoj.exe
<System>\dmcoj.exe





Name   Troj/Zlob-CN

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet
    * Reduces system security
    * Installs itself in the Registry

Aliases  
    * Trojan.Zlob

Prevalence (1-5) 2

Description
Troj/Zlob-CN is a Trojan for the Windows platform.

Troj/Zlob-CN changes search settings for Microsoft Internet Explorer.

Advanced
Troj/Zlob-CN is a Trojan for the Windows platform.

When Troj/Zlob-CN is installed the following files are created:

<System>\hp<random characters>.tmp
<System>\msvol.tlb
<System>\ncompat.tlb

The file ncompat.tlb is a clean data file. The other two files are 
both also detected as Troj/Zlob-CN.

The file hp<random characters>.tmp is registered as a COM object and 
Browser Helper Object (BHO) for Microsoft 
Internet Explorer, creating registry entries under:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser 
Helper Objects\(e0103cd4-d1ce-411a-b75b-4fec072867f4)
HKCR\CLSID\(E0103CD4-D1CE-411A-B75B-4FEC072867F4)

Troj/Zlob-CN sets the following registry entry to run nvctrl.exe, 
usually a copy of itself, on system startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run
nvctrl.exe
nvctrl.exe

Troj/Zlob-CN changes search settings for Microsoft Internet Explorer 
by modifying values under:

HKCU\Software\Microsoft\Internet Explorer\Search\

Registry entries are set under the following registry keys:

HKLM\SOFTWARE\Microsoft\Windows\Curre\ntVersion\Explorer\Browser 
Helper Objects(e0103cd4-d1ce-411a-b75b-4fec072867f4)\

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser 
Helper Objecta\(e0103cd4-d1ce-411a-b75b-4fec072867f4)\





Name   W32/Nyxem-D

Type  
    * Worm

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Sends itself to email addresses found on the infected computer
    * Deletes files off the computer
    * Forges the sender's email address
    * Uses its own emailing engine
    * Downloads code from the internet
    * Reduces system security
    * Installs itself in the Registry

Aliases  
    * Email-Worm.Win32.VB.bi
    * W32/Generic.worm!p2p

Prevalence (1-5) 2

Description
W32/Nyxem-D is an email & network worm for the Windows platform.

W32/Nyxem-D may open an empty dropped ZIP file in order to hide its 
functionality.

W32/Nyxem-D may periodically attempt to download and run an update of 
itself.

W32/Nyxem-D may attempt to display an icon in the Windows taskbar 
with the text "Update Please wait" if it detects the 
presence of anti-virus software. W32/Nyxem-D may also attempt to 
close windows, terminate programs, remove registry 
entries and delete files related to security and anti-virus programs.

W32/Nyxem-D sends itself to email addresses it harvests from files on 
the infected computer, sending itself as if from 
one contact to another. The emails sent have the following 
characteristics:

Subject lines include the following, or may be blank:

*Hot Movie*
A Great Video
Arab sex DSC-00465.jpg
eBook.pdf
Fuckin Kama Sutra pics
Fw:
Fw: DSC-00465.jpg
Fw: Funny :)
Fw: Picturs
Fw: Real show
Fw: SeX.mpg
Fw: Sexy
Fwd: Crazy illegal Sex!
Fwd: image.jpg
Fwd: Photo
give me a kiss
Hello
Miss Lebanon 2006
My photos
Part 1 of 6 Video clipe
Re:
Re: Sex Video
School girl fantasies gone bad
The Best Videoclip Ever
the file
Word file
You Must View This Videoclip!

Message bodies include the following, and may contain images that 
cannot be displayed:

----- forwarded message -----
???????????????????????????? ????????????? ?????? ???????????
>> forwarded message
DSC-00465.jpg DSC-00466.jpg DSC-00467.jpg
forwarded message attached.
Fuckin Kama Sutra pics
hello, i send the file. bye
hi i send the details bye
Hot XXX Yahoo Groups
how are you? i send the details. OK ?
i attached the details. Thank you
i just any one see my photos. It's Free :)
Note: forwarded message attached.
photo photo2 photo3
Please see the file.
ready to be FUCKED :)
VIDEOS! FREE! (US$ 0,00)
What?

Attachments may be executable files or mime files containing 
executable files. Executable attachment filenames include 
the following:

007.pif
04.pif
677.pif
document.pif
DSC-00465.Pif
DSC-00465.pIf
eBook.PIF
image04.pif
New_Document_file.pif
photo.pif
School.pif

Mime attachment filenames include the following:

3.92315089702606E02.UUE
Attachments[001].B64
Attachments00.HQX
Attachments001.BHX
eBook.Uu
Original Message.B64
Sex.mim
SeX.mim
Video_part.mim
WinZip.BHX
Word_Document.hqx
Word_Document.uu

Mime attachment filenames also include the following:

392315089702606E-02
Clipe
Miss
Photos
Sweet_09

with one of the following extensions:

.b64
.BHx
.HQX
.mim
.uu
.UUE
.XxE

If the attachment is a mime file, it contains a file with one of the 
following filenames followed by several spaces 
and an SCR extension:

392315089702606E-02,UUE
Adults_9,zip
ATT01.zip
Atta[001],zip
Attachments,zip
Attachments[001],B64
Clipe,zip
New Video,zip
Photos,zip
SeX,zip
WinZip,zip
WinZip.zip
Word XP.zip
Word.zip

W32/Nyxem-D attempts to spread to network shares with weak passwords.

Advanced
W32/Nyxem-D is an email & network worm for the Windows platform.

W32/Nyxem-D copies itself with some of the following filenames:

<Windows>\Rundll16.exe
<System>\scanregw.exe
<System>\Winzip.exe
<System>\Update.exe
<System>\WinZip_Tmp.exe
<System>\New WinZip File.exe
movies.exe
Zipped Files.exe

W32/Nyxem-D sets the following registry entry to run itself on system 
startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ScanRegistry
scanregw.exe /scan

W32/Nyxem-D also sets the following registry entries:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
WebView
0

W32/Nyxem-D may modify registry values under the following locations:

HKCU\Control Panel\BMale
HKCU\Control Panel\DNS

W32/Nyxem-D may drop an empty file to the Windows system folder with 
the same name as itself but with a ZIP extension 
and attempts to open it in order to hide its functionality.

W32/Nyxem-D may periodically attempt to download and run an update of 
itself.

W32/Nyxem-D may attempt to display an icon in the Windows taskbar 
with the text "Update Please wait" if it detects the 
presence of anti-virus software. W32/Nyxem-D may also attempt to 
close windows, terminate programs, remove registry 
entries and delete files related to security and anti-virus programs.

W32/Nyxem-D sends itself to email addresses it harvests from files on 
the infected computer, sending itself as if from 
one contact to another. The emails sent have the following 
characteristics:

Subject lines include the following, or may be blank:

*Hot Movie*
A Great Video
Arab sex DSC-00465.jpg
eBook.pdf
Fuckin Kama Sutra pics
Fw:
Fw: DSC-00465.jpg
Fw: Funny :)
Fw: Picturs
Fw: Real show
Fw: SeX.mpg
Fw: Sexy
Fwd: Crazy illegal Sex!
Fwd: image.jpg
Fwd: Photo
give me a kiss
Hello
Miss Lebanon 2006
My photos
Part 1 of 6 Video clipe
Re:
Re: Sex Video
School girl fantasies gone bad
The Best Videoclip Ever
the file
Word file
You Must View This Videoclip!

Message bodies include the following, and may contain images that 
cannot be displayed:

----- forwarded message -----
???????????????????????????? ????????????? ?????? ???????????
>> forwarded message
DSC-00465.jpg DSC-00466.jpg DSC-00467.jpg
forwarded message attached.
Fuckin Kama Sutra pics
hello, i send the file. bye
hi i send the details bye
Hot XXX Yahoo Groups
how are you? i send the details. OK ?
i attached the details. Thank you
i just any one see my photos. It's Free :)
Note: forwarded message attached.
photo photo2 photo3
Please see the file.
ready to be FUCKED :)
VIDEOS! FREE! (US$ 0,00)
What?

Attachments may be executable files or mime files containing 
executable files. Executable attachment filenames include 
the following:

007.pif
04.pif
677.pif
document.pif
DSC-00465.Pif
DSC-00465.pIf
eBook.PIF
image04.pif
New_Document_file.pif
photo.pif
School.pif

Mime attachment filenames include the following:

3.92315089702606E02.UUE
Attachments[001].B64
Attachments00.HQX
Attachments001.BHX
eBook.Uu
Original Message.B64
Sex.mim
SeX.mim
Video_part.mim
WinZip.BHX
Word_Document.hqx
Word_Document.uu

Mime attachment filenames also include the following:

392315089702606E-02
Clipe
Miss
Photos
Sweet_09

with one of the following extensions:

.b64
.BHx
.HQX
.mim
.uu
.UUE
.XxE

If the attachment is a mime file, it contains a file with one of the 
following filenames followed by several spaces 
and an SCR extension:

392315089702606E-02,UUE
Adults_9,zip
ATT01.zip
Atta[001],zip
Attachments,zip
Attachments[001],B64
Clipe,zip
New Video,zip
Photos,zip
SeX,zip
WinZip,zip
WinZip.zip
Word XP.zip
Word.zip

W32/Nyxem-D attempts to spread to network shares with weak passwords 
using the name WINZIP_TMP.exe.





Name   W32/Agobot-VI

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Aliases  
    * Backdoor.Win32.Agobot.gen

Prevalence (1-5) 2

Description
W32/Agobot-VI is a worm with backdoor functionality for the Windows 
platform.

W32/Agobot-VI spreads to other network computers by exploiting common 
buffer overflow vulnerabilities, including: PNP 
(MS05-039) and ASN.1 (MS04-007) and by copying itself to network 
shares protected by weak passwords.

W32/Agobot-VI runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain 
access and control over the computer via IRC channels.

Advanced
W32/Agobot-VI is a worm with backdoor functionality for the Windows 
platform.

W32/Agobot-VI spreads to other network computers by exploiting common 
buffer overflow vulnerabilities, including: PNP 
(MS05-039) and ASN.1 (MS04-007) and by copying itself to network 
shares protected by weak passwords.

W32/Agobot-VI runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain 
access and control over the computer via IRC channels.

When first run W32/Agobot-VI copies itself to <Windows system 
folder>\Stney.exe.

The following registry entries are created to run Stney.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Help
Stney.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Windows Help
Stney.exe

Registry entries are set as follows:

HKCU\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
NoAutoUpdate
1

HKCU\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
AUOptions
1

HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
NoAutoUpdate
1

HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
AUOptions
1

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
AUOptions
1

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
0

Registry entries are created under:

HKCU\Software\Microsoft\Security Center\
HKLM\SOFTWARE\Microsoft\Security Center\





Name   Troj/Dloadr-ACY

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet

Aliases  
    * Trojan-Downloader.Win32.Small.asa

Prevalence (1-5) 2

Description
Troj/Dloadr-ACY is a Trojan for the Windows platform.

Troj/Dloadr-ACY has functionality to communicate with a remote server 
via HTTP.

The downloaded file is saved to C:\tmp.bat which is then executed by 
Troj/Dloadr-ACY.





Name   W32/Rbot-BMG

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Aliases  
    * Backdoor.Win32.Rbot.anu

Prevalence (1-5) 2

Description
W32/Rbot-BMG is an internet worm and IRC backdoor Trojan for the 
Windows platform.

W32/Rbot-BMG spreads to other network computers by exploiting the 
buffer overflow vulnerabilites LSASS

(MS04-011), RPC-DCOM (MS04-012) , PNP (MS05-039), ASN.1 (MS04-007), 
and WKS (MS03-049) and by copying itself

to network shares protected by weak passwords.

W32/Rbot-BMG runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain 
access and control over the computer via IRC channels.

The following patches for the operating system vulnerabilities 
exploited by W32/Rbot-BMG can be obtained from the 
Microsoft website:

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx
http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-007.mspx
http://www.microsoft.com/technet/security/bulletin/MS03-049.mspx

Advanced
W32/Rbot-BMG is an internet worm and IRC backdoor Trojan for the 
Windows platform.

W32/Rbot-BMG spreads to other network computers by exploiting the 
buffer overflow vulnerabilites LSASS

(MS04-011), RPC-DCOM (MS04-012) , PNP (MS05-039), ASN.1 (MS04-007), 
and WKS (MS03-049) and by copying itself

to network shares protected by weak passwords.

W32/Rbot-BMG runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain 
access and control over the computer via IRC channels.

The following patches for the operating system vulnerabilities 
exploited by W32/Rbot-BMG can be obtained from the 
Microsoft website:

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx
http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-007.mspx
http://www.microsoft.com/technet/security/bulletin/MS03-049.mspx

When first run W32/Rbot-BMG copies itself to <System>\CCapp1.exe.

The following registry entries are created to run MSGUPDAT32.EXE on 
startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Antivirus Protection
CCapp1.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices\
Antivirus Protection
CCapp1.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Antivirus Protection
CCapp1.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
Antivirus Protection
CCapp1.exe

The following registry entry is set:

HKCU\Software\Microsoft\OLE\
Antivirus Protection
CCapp1.exe





Name   W32/Loosky-AE

Type  
    * Spyware Worm

How it spreads  
    * Email attachments

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Sends itself to email addresses found on the infected computer
    * Drops more malware
    * Forges the sender's email address
    * Uses its own emailing engine
    * Reduces system security
    * Records keystrokes
    * Installs itself in the Registry
    * Leaves non-infected files on computer

Aliases  
    * Email-Worm.Win32.Locksky.t
    * W32/Loosky.dr
    * W32/Locksky.U
    * WORM_LOCKSKY.AB
    * Worm.Locksky.I

Prevalence (1-5) 2

Description
W32/Loosky-AE is a mass-mailing worm for the Windows platform.

Messages sent by the worm have the following characteristics:

Subject: Your Ebay Account is Suspended

Message text: We regret to inform you that your account has been 
suspended due to the violation of our site policy, 
more info is attached.

Attachment name: ebay_info.exe

W32/Loosky-AE contains functionality to run an HTTP or SOCKS proxy, 
steal passwords and record keypresses.

Advanced
W32/Loosky-AE is a mass-mailing worm for the Windows platform.

W32/Loosky-AE sends itself by email to addresses harvested from 
address books and HTML files on the local drives.

Messages sent by the worm have the following characteristics:

Subject: Your Ebay Account is Suspended

Message text: We regret to inform you that your account has been 
suspended due to the violation of our site policy, 
more info is attached.

Attachment name: ebay_info.exe

When first run W32/Loosky-AE copies itself to <Windows>\sachostx.exe 
and creates the following files:

<System>\attrib.ini
<System>\hard.lck
<System>\msvcrl.dll
<System>\sachostc.exe
<System>\sachostp.exe
<System>\sachostm.exe
<System>\sachosts.exe
<System>\sachostw.exe

attrib.ini contains recorded keypresses and other stolen information. 
hard.lck is harmless. The remaining files are 
detected as W32/Loosky-AE.

The following registry entry is created to run sachostx.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HostSrv
<Windows>\sachostx.exe

W32/Loosky-AE contains functionality to run an HTTP or SOCKS proxy, 
steal passwords and record keypresses.





Name   Troj/Zlob-CO

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Drops more malware
    * Installs itself in the Registry

Aliases  
    * Trojan-Downloader.Win32.Zlob.es

Prevalence (1-5) 2

Description
Troj/Zlob-CO is a Trojan for the Windows platform.

Troj/Zlob-CO has the functionality to communciate with a remote 
server via HTTP.

Advanced
Troj/Zlob-CO is a Trojan for the Windows platform.

Troj/Zlob-CO has the functionality to communciate with a remote 
server via HTTP.

When run, Troj/Zlob-CO creates the following files:

<System>hp<random characters>.tmp
<System>\msvol.tlb
<System>\ncompat.tlb

The files hp923.tmp and msvol.tlb are detected by Sophos as 
Troj/Zlob-CO. The
file ncompat.tlb can be deleted safely.

Troj/Zlob-CO changes search settings for Microsoft Internet Explorer by
modifying values under:

HKCU\Software\Microsoft\Internet Explorer\Search\

When run, Troj/Zlob-CO sets the following registry entries:

HKLM\SOFTWARE\Microsoft\Windows\Curre\ntVersion\Explorer\Browser Helper
Objects(e0103cd4-d1ce-411a-b75b-4fec072867f4)\

HKLM\SOFTWARE\Microsoft\Windows\Curre\ntVersion\Explorer\Browser Helper
Objects(e0103cd4-d1ce-411a-b75b-4fec072867f4)\(default)

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
Objecta\(e0103cd4-d1ce-411a-b75b-4fec072867f4)\

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
Objecta\(e0103cd4-d1ce-411a-b75b-4fec072867f4)\(default)

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run
nvctrl.exe
nvctrl.exe





Name   Troj/Hupigon-CI

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Downloads code from the internet
    * Installs itself in the Registry

Aliases  
    * Backdoor.Win32.Hupigon.po

Prevalence (1-5) 2

Description
Troj/Hupigon-CI is a Trojan for the Windows platform.

Troj/Hupigon-CI includes functionality to access the internet and 
communicate with a remote server via HTTP.

Advanced
Troj/Hupigon-CI is a Trojan for the Windows platform.

Troj/Hupigon-CI includes functionality to access the internet and 
communicate with a remote server via HTTP.

When first run Troj/Hupigon-CI copies itself to <Windows>\qq.exe.

The file qq.exe is registered as a new system driver service named 
"qq", with a display name of "qq" and a startup 
type of automatic, so that it is started automatically during system 
startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\qq\





Name   W32/Tilebot-CZ

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Downloads code from the internet
    * Reduces system security
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Prevalence (1-5) 2

Description
W32/Tilebot-CZ is a worm and IRC backdoor Trojan for the Windows 
platform.

W32/Tilebot-CZ spreads:

- to other network computers by exploiting common buffer overflow 
vulnerabilities, including: LSASS (MS04-011), 
RPC-DCOM (MS04-012), PNP (MS05-039) and ASN.1 (MS04-007)
- to other network computers running MSSQL servers protected by weak 
passwords
- by copying itself to network shares protected by weak passwords

W32/Tilebot-CZ runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain 
access and control over the computer via IRC channels.

Advanced
W32/Tilebot-CZ is a worm and IRC backdoor Trojan for the Windows 
platform.

W32/Tilebot-CZ spreads:

- to other network computers by exploiting common buffer overflow 
vulnerabilities, including: LSASS (MS04-011), 
RPC-DCOM (MS04-012), PNP (MS05-039) and ASN.1 (MS04-007)
- to other network computers running MSSQL servers protected by weak 
passwords
- by copying itself to network shares protected by weak passwords

W32/Tilebot-CZ runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain 
access and control over the computer via IRC channels.

W32/Tilebot-CZ includes functionality to download, install and run 
new software.

When first run W32/Tilebot-CZ copies itself to <Windows>\win32ssr.exe 
and may create the clean file <System>\svkp.sys.

The file win32ssr.exe is registered as a new system driver service 
named "Win32Sr", with a display name of "Win32Sr" 
and a startup type of automatic, so that it is started automatically 
during system startup. Registry entries are 
created under:

HKLM\SYSTEM\CurrentControlSet\Services\Win32Sr\

The clean file SVKP.sys is registered as a new system driver service 
named "SVKP", with a display name of "SVKP" and a 
startup type of automatic, so that it is started automatically during 
system startup. Registry entries are created 
under:

HKLM\SYSTEM\CurrentControlSet\Services\SVKP\

W32/Tilebot-CZ sets the following registry entries, disabling the 
automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4

Registry entries are set as follows:

HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1

Registry entries are created under:

HKLM\SOFTWARE\Microsoft\Security Center\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\





Name   Troj/Ooj-B

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Steals information
    * Uses its own emailing engine

Aliases  
    * Trojan-PSW.Win32.VB.fl

Prevalence (1-5) 2

Description
Troj/Ooj-B is a password stealing Trojan for the Windows platform.

Troj/Ooj-B harvests email account information, passwords and ICQ 
numbers from the infected computer, and emails stolen 
data to a remote attacker.





Name   W32/Zotob-K

Type  
    * Worm

How it spreads  
    * Email attachments
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Sends itself to email addresses found on the infected computer
    * Forges the sender's email address
    * Downloads code from the internet
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Aliases  
    * Net-Worm.Win32.Mytob.dt

Prevalence (1-5) 2

Description
W32/Zotob-K is a mass-mailing and network worm and IRC backdoor 
Trojan for the Windows platform.

W32/Zotob-K spreads to other network computers by exploiting common 
buffer overflow vulnerabilities, including: PNP 
(MS05-039) and ASN.1 (MS04-007), as well as to network shares with 
weak passwords.

W32/Zotob-K runs continuously in the background, providing a backdoor 
server which allows a remote intruder to gain 
access and control over the computer via IRC channels, including the 
ability to download and execute files on the 
infected computer.

W32/Zotob-K can spread by sending itself as an email attachment to 
email addresses it harvests from the infected 
computer, either as an attachment with a double-extension or as a zip 
file containing a file with a double-extension. 
W32/Zotob-K avoids sending emails to addresses containing certain 
strings in them.

W32/Zotob-K processes the emails it has harvested by splitting them 
into name and domain. Once it has sent itself to 
the emails it has harvested, it uses a predefined list of names with 
the harvested domains. W32/Zotob-K spoofs the 
sender, sending emails as if from one of the following at the same 
domain as the recipient:

support
administrator
mail
service
admin
info
register
webmaster

For example if sending itself to name@example.com, W32/Zotob-K might 
send the email as if from admin@example.com.

Emails sent by the worm have characteristics from the following:

Subject line:
Your password has been updated
Your password has been successfully updated
You have successfully updated your password
Your new account password is approved
Your Account is Suspended
*DETECTED* Online User Violation
Your Account is Suspended For Security Reasons
Warning Message: Your services near to be closed.
Important Notification
Members Support
Security measures
Email Account Suspension
Notice of account limitation
<random characters>

Message text - a formatted version of one of the following:
Dear user <recipient's username>,

You have successfully updated the password of your <recipient's 
domain> account.

If you did not authorize this change or if you need assistance with 
your account, please contact <recipient's domain> 
customer service at: <spoofed sender address>

Thank you for using <recipient's domain>!
The <recipient's domain> Support Team <BR>

+++ Attachment: No Virus (Clean)
+++ <recipient's domain> Antivirus - www.<recipient's domain>

Dear user <recipient's username>,

It has come to our attention that your <recipient's domain> User 
Profile ( x ) records are out of date. For further 
details see the attached document.

Thank you for using <recipient's domain>!
The <recipient's domain> Support Team

+++ Attachment: No Virus (Clean)
+++ <recipient's domain> Antivirus - www.<recipient's domain>

Dear <recipient's username> Member,

We have temporarily suspended your email account <recipient's domain>.

This might be due to either of the following reasons:

1. A recent change in your personal information (i.e. change of 
address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of 
subscription due to an internal error within our 
processors.
See the details to reactivate your <recipient's domain> account.

Sincerely,The <recipient's domain> Support Team

+++ Attachment: No Virus (Clean)
+++ <recipient's domain> Antivirus - www.<recipient's domain>

Dear <recipient's domain> Member,

Your e-mail account was used to send a huge amount of unsolicited 
spam messages during the recent week. If you could 
please take 5-10 minutes out of your online experience and confirm 
the attached document so you will not run into any 
future problems with the online service.

If you choose to ignore our request, you leave us no choice but to 
cancel your membership.

Virtually yours,
The <recipient's domain> Support Team

+++ Attachment: No Virus found
+++ <recipient's domain> Antivirus - www.<recipent's domain>

Attachment name:
updated-password
email-password
new-password
password
approved-password
account-password
accepted-password
important-details
account-details
email-details
account-info
document
readme
account-report

First extension (of attachment or of file inside zip):
doc
htm
txt

Second extension (of attachment or of file inside zip):
pif
scr
exe
cmd
bat

If the attachment is a zip file it will have the same base name as 
the double-extension file inside.

Example attachment names include document.txt.pif and 
information.doc.cmd, usually with a large number of spaces 
between the extensions.

Advanced
W32/Zotob-K is a mass-mailing and network worm and IRC backdoor 
Trojan for the Windows platform.

W32/Zotob-K spreads to other network computers by exploiting common 
buffer overflow vulnerabilities, including: PNP 
(MS05-039) and ASN.1 (MS04-007), as well as to network shares with 
weak passwords.

W32/Zotob-K runs continuously in the background, providing a backdoor 
server which allows a remote intruder to gain 
access and control over the computer via IRC channels, including the 
ability to download and execute files on the 
infected computer.

When first run W32/Zotob-K copies itself to <System>\winint.exe.

The file winint.exe is registered as a new system driver service 
named "Microsoft System Debugger", with a display 
name of "Microsoft System Debugger" and a startup type of automatic, 
so that it is started automatically during system 
startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\Microsoft System Debugger\

W32/Zotob-K may set the following registry entries to run 
<System>\wininit.exe on system startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WINDOWS INIT
<System>\wininit.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
WINDOWS INIT
<System>\wininit.exe

W32/Zotob-K can spread by sending itself as an email attachment to 
email addresses it harvests from the infected 
computer, either as an attachment with a double-extension or as a zip 
file containing a file with a double-extension. 
W32/Zotob-K avoids sending emails to addresses containing certain 
strings in them.

W32/Zotob-K processes the emails it has harvested by splitting them 
into name and domain. Once it has sent itself to 
the emails it has harvested, it uses a predefined list of names with 
the harvested domains. W32/Zotob-K spoofs the 
sender, sending emails as if from one of the following at the same 
domain as the recipient:

support
administrator
mail
service
admin
info
register
webmaster

For example if sending itself to name@example.com, W32/Zotob-K might 
send the email as if from admin@example.com.

Emails sent by the worm have characteristics from the following:

Subject line:
Your password has been updated
Your password has been successfully updated
You have successfully updated your password
Your new account password is approved
Your Account is Suspended
*DETECTED* Online User Violation
Your Account is Suspended For Security Reasons
Warning Message: Your services near to be closed.
Important Notification
Members Support
Security measures
Email Account Suspension
Notice of account limitation
<random characters>

Message text - a formatted version of one of the following:
Dear user <recipient's username>,

You have successfully updated the password of your <recipient's 
domain> account.

If you did not authorize this change or if you need assistance with 
your account, please contact <recipient's domain> 
customer service at: <spoofed sender address>

Thank you for using <recipient's domain>!
The <recipient's domain> Support Team <BR>

+++ Attachment: No Virus (Clean)
+++ <recipient's domain> Antivirus - www.<recipient's domain>

Dear user <recipient's username>,

It has come to our attention that your <recipient's domain> User 
Profile ( x ) records are out of date. For further 
details see the attached document.

Thank you for using <recipient's domain>!
The <recipient's domain> Support Team

+++ Attachment: No Virus (Clean)
+++ <recipient's domain> Antivirus - www.<recipient's domain>

Dear <recipient's username> Member,

We have temporarily suspended your email account <recipient's domain>.

This might be due to either of the following reasons:

1. A recent change in your personal information (i.e. change of 
address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of 
subscription due to an internal error within our 
processors.
See the details to reactivate your <recipient's domain> account.

Sincerely,The <recipient's domain> Support Team

+++ Attachment: No Virus (Clean)
+++ <recipient's domain> Antivirus - www.<recipient's domain>

Dear <recipient's domain> Member,

Your e-mail account was used to send a huge amount of unsolicited 
spam messages during the recent week. If you could 
please take 5-10 minutes out of your online experience and confirm 
the attached document so you will not run into any 
future problems with the online service.

If you choose to ignore our request, you leave us no choice but to 
cancel your membership.

Virtually yours,
The <recipient's domain> Support Team

+++ Attachment: No Virus found
+++ <recipient's domain> Antivirus - www.<recipent's domain>

Attachment name:
updated-password
email-password
new-password
password
approved-password
account-password
accepted-password
important-details
account-details
email-details
account-info
document
readme
account-report

First extension (of attachment or of file inside zip):
doc
htm
txt

Second extension (of attachment or of file inside zip):
pif
scr
exe
cmd
bat

If the attachment is a zip file it will have the same base name as 
the double-extension file inside.

Example attachment names include document.txt.pif and 
information.doc.cmd, usually with a large number of spaces 
between the extensions.





Name   W32/Kookoo-A

Type  
    * Virus

How it spreads  
    * Infected files

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Allows others to access the computer
    * Steals information
    * Downloads code from the internet

Prevalence (1-5) 2

Description
W32/Kookoo-A is a virus for the Windows platform.

W32/Kookoo-A spreads via infected files.

W32/Kookoo-A runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer.

W32/Kookoo-A includes functionality to:

- send stolen confidential information to a remote address
- provide a proxy server
- silently download, install and run new software
- terminate and delete anti-virus related software

Advanced
W32/Kookoo-A is a virus for the Windows platform.

W32/Kookoo-A spreads via infected files.

W32/Kookoo-A runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer.

W32/Kookoo-A includes functionality to:

- send stolen confidential information to a remote address
- provide a proxy server
- silently download, install and run new software
- terminate and delete anti-virus related software

When the virus is installed it creates the file 
<System>\oledsp32.dll, which is detected as W32/Kookoo-A.





Name   Troj/Haxdoor-AS

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Steals information
    * Downloads code from the internet
    * Reduces system security
    * Records keystrokes
    * Installs itself in the Registry
    * Dropped by malware

Aliases  
    * PWS-Goldun.dll

Prevalence (1-5) 2

Description
Troj/Haxdoor-AS is a Trojan for the Windows platform.

The Trojan steals usernames and passwords and sends stolen data to a 
remote attacker.

Advanced
Troj/Haxdoor-AS is a Trojan for the Windows platform.

The Trojan steals usernames and passwords and sends stolen data to a 
remote attacker.

Troj/Haxdoor-AS copies itself to the Windows system folder as 
satdll.dll.

The Trojan may set registry entries under:

HKLM\SYSTEM\CurrentControlSet\Control\MPRServices\TestService
<several entries>

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
satdll

The Trojan may also create the file vxdgfx.sys in the Windows system 
folder.

 
--- MultiMail/Win32 v0.43
 * Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)