Tillbaka till svenska Fidonet
English   Information   Debug  
TRAPDOOR   0/19
TREK   0/755
TUB   0/290
UFO   0/40
UNIX   0/1316
USA_EURLINK   0/102
USR_MODEMS   0/1
VATICAN   0/2740
VIETNAM_VETS   0/14
VIRUS   0/378
VIRUS_INFO   0/201
VISUAL_BASIC   0/473
WHITEHOUSE   0/5187
WIN2000   0/101
WIN32   0/30
WIN95   0/4289
WIN95_OLD1   0/70272
WINDOWS   0/1517
WWB_SYSOP   0/419
WWB_TECH   0/810
ZCC-PUBLIC   0/1
ZEC   4

 
4DOS   0/134
ABORTION   0/7
ALASKA_CHAT   0/506
ALLFIX_FILE   0/1313
ALLFIX_FILE_OLD1   0/7997
ALT_DOS   0/152
AMATEUR_RADIO   0/1039
AMIGASALE   0/14
AMIGA   0/331
AMIGA_INT   0/1
AMIGA_PROG   0/20
AMIGA_SYSOP   0/26
ANIME   0/15
ARGUS   0/924
ASCII_ART   0/340
ASIAN_LINK   0/651
ASTRONOMY   0/417
AUDIO   0/92
AUTOMOBILE_RACING   0/105
BABYLON5   0/17862
BAG   135
BATPOWER   0/361
BBBS.ENGLISH   0/382
BBSLAW   0/109
BBS_ADS   0/5290
BBS_INTERNET   0/507
BIBLE   0/3563
BINKD   0/1119
BINKLEY   0/215
BLUEWAVE   0/2173
CABLE_MODEMS   0/25
CBM   0/46
CDRECORD   0/66
CDROM   0/20
CLASSIC_COMPUTER   0/378
COMICS   0/15
CONSPRCY   0/899
COOKING   33421
COOKING_OLD1   0/24719
COOKING_OLD2   0/40862
COOKING_OLD3   0/37489
COOKING_OLD4   0/35496
COOKING_OLD5   9370
C_ECHO   0/189
C_PLUSPLUS   0/31
DIRTY_DOZEN   0/201
DOORGAMES   0/2065
DOS_INTERNET   0/196
duplikat   6002
ECHOLIST   0/18295
EC_SUPPORT   0/318
ELECTRONICS   0/359
ELEKTRONIK.GER   1534
ENET.LINGUISTIC   0/13
ENET.POLITICS   0/4
ENET.SOFT   0/11701
ENET.SYSOP   33945
ENET.TALKS   0/32
ENGLISH_TUTOR   0/2000
EVOLUTION   0/1335
FDECHO   0/217
FDN_ANNOUNCE   0/7068
FIDONEWS   24159
FIDONEWS_OLD1   0/49742
FIDONEWS_OLD2   0/35949
FIDONEWS_OLD3   0/30874
FIDONEWS_OLD4   0/37224
FIDO_SYSOP   12852
FIDO_UTIL   0/180
FILEFIND   0/209
FILEGATE   0/212
FILM   0/18
FNEWS_PUBLISH   4436
FN_SYSOP   41707
FN_SYSOP_OLD1   71952
FTP_FIDO   0/2
FTSC_PUBLIC   0/13613
FUNNY   0/4886
GENEALOGY.EUR   0/71
GET_INFO   105
GOLDED   0/408
HAM   0/16074
HOLYSMOKE   0/6791
HOT_SITES   0/1
HTMLEDIT   0/71
HUB203   466
HUB_100   264
HUB_400   39
HUMOR   0/29
IC   0/2851
INTERNET   0/424
INTERUSER   0/3
IP_CONNECT   719
JAMNNTPD   0/233
JAMTLAND   0/47
KATTY_KORNER   0/41
LAN   0/16
LINUX-USER   0/19
LINUXHELP   0/1155
LINUX   0/22112
LINUX_BBS   0/957
mail   18.68
mail_fore_ok   249
MENSA   0/341
MODERATOR   0/102
MONTE   0/992
MOSCOW_OKLAHOMA   0/1245
MUFFIN   0/783
MUSIC   0/321
N203_STAT   930
N203_SYSCHAT   313
NET203   321
NET204   69
NET_DEV   0/10
NORD.ADMIN   0/101
NORD.CHAT   0/2572
NORD.FIDONET   189
NORD.HARDWARE   0/28
NORD.KULTUR   0/114
NORD.PROG   0/32
NORD.SOFTWARE   0/88
NORD.TEKNIK   0/58
NORD   0/453
OCCULT_CHAT   0/93
OS2BBS   0/787
OS2DOSBBS   0/580
OS2HW   0/42
OS2INET   0/37
OS2LAN   0/134
OS2PROG   0/36
OS2REXX   0/113
OS2USER-L   207
OS2   0/4786
OSDEBATE   0/18996
PASCAL   0/490
PERL   0/457
PHP   0/45
POINTS   0/405
POLITICS   0/29554
POL_INC   0/14731
PSION   103
R20_ADMIN   1123
R20_AMATORRADIO   0/2
R20_BEST_OF_FIDONET   13
R20_CHAT   0/893
R20_DEPP   0/3
R20_DEV   399
R20_ECHO2   1379
R20_ECHOPRES   0/35
R20_ESTAT   0/719
R20_FIDONETPROG...
...RAM.MYPOINT
  0/2
R20_FIDONETPROGRAM   0/22
R20_FIDONET   0/248
R20_FILEFIND   0/24
R20_FILEFOUND   0/22
R20_HIFI   0/3
R20_INFO2   3249
R20_INTERNET   0/12940
R20_INTRESSE   0/60
R20_INTR_KOM   0/99
R20_KANDIDAT.CHAT   42
R20_KANDIDAT   28
R20_KOM_DEV   112
R20_KONTROLL   0/13300
R20_KORSET   0/18
R20_LOKALTRAFIK   0/24
R20_MODERATOR   0/1852
R20_NC   76
R20_NET200   245
R20_NETWORK.OTH...
...ERNETS
  0/13
R20_OPERATIVSYS...
...TEM.LINUX
  0/44
R20_PROGRAMVAROR   0/1
R20_REC2NEC   534
R20_SFOSM   0/341
R20_SF   0/108
R20_SPRAK.ENGLISH   0/1
R20_SQUISH   107
R20_TEST   2
R20_WORST_OF_FIDONET   12
RAR   0/9
RA_MULTI   106
RA_UTIL   0/162
REGCON.EUR   0/2056
REGCON   0/13
SCIENCE   0/1206
SF   0/239
SHAREWARE_SUPPORT   0/5146
SHAREWRE   0/14
SIMPSONS   0/169
STATS_OLD1   0/2539.065
STATS_OLD2   0/2530
STATS_OLD3   0/2395.095
STATS_OLD4   0/1692.25
SURVIVOR   0/495
SYSOPS_CORNER   0/3
SYSOP   0/84
TAGLINES   0/112
TEAMOS2   0/4530
TECH   0/2617
TEST.444   0/105
Möte VIRUS, 378 texter
 lista första sista föregående nästa
Text 174, 1055 rader
Skriven 2006-01-28 16:46:00 av KURT WISMER (1:123/140)
Ärende: News, January 28 2006
=============================
[cut-n-paste from sophos.com]

Name   Troj/Stinx-N

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Allows others to access the computer
    * Downloads code from the internet
    * Reduces system security
    * Installs itself in the Registry

Prevalence (1-5) 3

Description
Troj/Stinx-N is a backdoor Trojan for the Windows platform.

Troj/Stinx-N includes functionality to download and execute further 
code, and attempts to disable various security related processes.

At the time of writing Troj/Stinx-N is being agressively spammed out 
in emails with subject lines such as the following:

Campus Student Raped
Do you recognise this person?
Rape on Campus

The Trojan is included as an attachment, typically named "suspicious 
photo.exe", which the recipient is encouraged to open. The body of 
the email message is typically as follows:

Hello,

During the early morning of January 25 2006, a campus student was the 
victim of a horrific sexual assault within college grounds. 
Eyewitnesses report a tall black man in grey pants running away from 
the scene. Campus CCTV has caught this man on camera and are looking 
for ways to identify him. If anyone recognises the attached picture 
could they inform administraion immediatly

Regards,

Robert Atkins
Campus Administration

All information contained within this e-mail, including any 
attachment, is
confidential. If you have received this e-mail in error, please 
delete it
immediately. Do not use, disclose or spread the information in any 
way and notify the sender immediately. Any views and opinions 
expressed in this e-mail may not represent those of Business Monthly

The following emails have also been seen distributing Troj/Stinx-N:

Subject line:
Photo Approval Required

Message text:
Hello,

Your photograph has reached editing stage as part of an article we 
are publishing for our February edition of Traders World Monthly. Can 
you check over the format and get back to us with your approval or 
any changes?
If the picture is not to your liking then please send a preferred 
one. We've attached the photo with the article here.

Kind regards,

Jamie Andrews
Editor
TradersWorld

Subject line:
Payment Receipt

Message text:
Dear customer.

Thank you for your subscription to http://www.<adult-website>.com

You have been billed as Paycom LLC for the amount of: USA 49.99 for 
30 days then USA 39.99 recurring every 30 days.

Time: 2006-1-05 20:38
Transaction ID: 965658
Amount: GBP 49.99
Applied to Account0: 10915104
Payment Method: VISA

Your new subscription identification number is:10915104, please keep 
this number in a safe place as it will be required for reference in 
all future correspondence regarding your membership.

Advanced
Troj/Stinx-N is a backdoor Trojan for the windows platform.

Troj/Stinx-N includes functionality to download and execute further 
code, and attempts to disable various security related processes.

When first run Troj/Stinx-N copies itself to <Windows system 
folder>\csrwjd.exe

The following registry entries are created to run cstsm.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ProtocolEventTsk
csrwjd.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ProtocolEventTsk
csrwjd.exe

At the time of writing Troj/Stinx-N is being agressively spammed out 
in emails with subject lines such as the following:

Campus Student Raped
Do you recognise this person?
Rape on Campus

The Trojan is included as an attachment, typically named "suspicious 
photo.exe", which the recipient is encouraged to open. The body of 
the email message is typically as follows:

Hello,

During the early morning of January 25 2006, a campus student was the 
victim of a horrific sexual assault within college grounds. 
Eyewitnesses report a tall black man in grey pants running away from 
the scene. Campus CCTV has caught this man on camera and are looking 
for ways to identify him. If anyone recognises the attached picture 
could they inform administraion immediatly

Regards,

Robert Atkins
Campus Administration

All information contained within this e-mail, including any 
attachment, is
confidential. If you have received this e-mail in error, please 
delete it
immediately. Do not use, disclose or spread the information in any 
way and notify the sender immediately. Any views and opinions 
expressed in this e-mail may not represent those of Business Monthly

The following emails have also been seen distributing Troj/Stinx-N:

Subject line:
Photo Approval Required

Message text:
Hello,

Your photograph has reached editing stage as part of an article we 
are publishing for our February edition of Traders World Monthly. Can 
you check over the format and get back to us with your approval or 
any changes?
If the picture is not to your liking then please send a preferred 
one. We've attached the photo with the article here.

Kind regards,

Jamie Andrews
Editor
TradersWorld

Subject line:
Payment Receipt

Message text:
Dear customer.

Thank you for your subscription to http://www.<adult-website>.com

You have been billed as Paycom LLC for the amount of: USA 49.99 for 
30 days then USA 39.99 recurring every 30 days.

Time: 2006-1-05 20:38
Transaction ID: 965658
Amount: GBP 49.99
Applied to Account0: 10915104
Payment Method: VISA

Your new subscription identification number is:10915104, please keep 
this number in a safe place as it will be required for reference in 
all future correspondence regarding your membership.





Name   Troj/BagleDl-BJ

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Steals information
    * Drops more malware
    * Downloads code from the internet
    * Reduces system security
    * Installs itself in the Registry
    * Dropped by malware

Aliases  
    * Email-Worm.Win32.Bagle.fg
    * W32/Mitglieder.HJ

Prevalence (1-5) 3

Description
Troj/BagleDl-BJ is a Trojan for the Windows platform.

When first run, the Trojan creates the files im_1.exe and im_2.exe in 
the Windows system folder and then runs them. The Trojan also creates 
a JPG image in the <Temp> folder with the filename "~<random 
digit>.jpg" and displays the image. The files im_1.exe and im_2.exe 
are also detected as Troj/BagleDl-BJ.

Advanced
Troj/BagleDl-BJ is a Trojan for the Windows platform.

When first run, the Trojan creates the files im_1.exe and im_2.exe in 
the Windows system folder and then runs them. The Trojan also creates 
a JPG image in the <Temp> folder with the filename "~<random 
digit>.jpg" and displays the image. The files im_1.exe and im_2.exe 
are also detected as Troj/BagleDl-BJ.

The Trojan attempts to download files from several remote sites.

The following registry entry is created to run the Trojan each time a 
user logs on:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
im_autorn
"<Windows system folder>\im_1.exe"

The following registry entry are also created:

HKCU\Software\Microsoft\IME
FirstRun
dword:00000001





Name   Troj/Mdrop-KZ

Type  
    * Trojan

Affected operating systems  
    * Windows

Aliases  
    * Trojan-Dropper.Win32.Agent.xp

Prevalence (1-5) 2

Description
Troj/Mdrop-KZ is a Trojan for the Windows platform.

Advanced
Troj/Mdrop-KZ is a Trojan for the Windows platform.

When Troj/Mdrop-KZ is installed the following files are created 
without the user's knowledge:

<CurrentFolder>\cache.exe
<CurrentFolder>\vbrun32.exe

These files are essentially non-malicious.

Troj/Mdrop-KZ may also create a copy of itself as the file 
vbscript.dll.





Name   W32/Sdbot-AOS

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Downloads code from the internet
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Aliases  
    * Backdoor.Win32.SdBot.alq

Prevalence (1-5) 2

Description
W32/Sdbot-AOS is a worm and IRC backdoor Trojan for the Windows 
platform.

W32/Sdbot-AOS attempts to spread by copying itself to network shares 
with weak passwords or by exploiting any of the following 
vulnerabilities: LSASS (MS04-011), RPC-DCOM (MS04-012), PNP 
(MS05-039), ASN.1 (MS04-007).

W32/Sdbot-AOS runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

W32/Sdbot-AOS includes functionality to download, install and run new 
software.

Advanced
W32/Sdbot-AOS is a worm and IRC backdoor Trojan for the Windows 
platform.

W32/Sdbot-AOS attempts to spread by copying itself to network shares 
with weak passwords or by exploiting any of the following 
vulnerabilities: LSASS (MS04-011), RPC-DCOM (MS04-012), PNP 
(MS05-039), ASN.1 (MS04-007).

W32/Sdbot-AOS runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

W32/Sdbot-AOS includes functionality to download, install and run new 
software.

When first run W32/Sdbot-AOS copies itself to <Windows>\win32ssr.exe.

The file win32ssr.exe is registered as a new system driver service 
named "Win32Sr", with a display name of "Win32Sr" and a startup type 
of automatic, so that it is started automatically during system 
startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\Win32Sr\

W32/Sdbot-AOS sets the following registry entries, disabling the 
automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4

Registry entries are set as follows:

HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1

Registry entries are created under:

HKLM\SOFTWARE\Microsoft\Security Center\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\





Name   W32/Rbot-BSC

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Installs itself in the Registry
    * Used in DOS attacks

Prevalence (1-5) 2

Description
W32/Rbot-BSC is a worm for the Windows platform.

W32/Rbot-BSC runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

W32/Rbot-BSC includes functionality to access the internet and 
communicate with a remote server via HTTP.

When first run W32/Rbot-BSC copies itself to <Windows system 
folder>\snddrv.exe.

Advanced
W32/Rbot-BSC is a worm for the Windows platform.

W32/Rbot-BSC runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

W32/Rbot-BSC includes functionality to access the internet and 
communicate with a remote server via HTTP.

When first run W32/Rbot-BSC copies itself to <Windows system 
folder>\snddrv.exe.

The file snddrv.exe is registered as a new system driver service 
named "SndDRV", with a display name of "SndDRV (MS Sound Driver)" and 
a startup type of automatic, so that it is started automatically 
during system startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\SndDRV\

W32/Rbot-BSC sets the following registry entries, disabling the 
automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4

Registry entries are set as follows:

HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1

Registry entries are created under:

HKLM\SOFTWARE\Microsoft\Security Center\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\





Name   W32/Feebs-E

Type  
    * Spyware Worm

How it spreads  
    * Email attachments
    * Peer-to-peer

Affected operating systems  
    * Windows

Side effects  
    * Sends itself to email addresses found on the infected computer
    * Steals information
    * Uses its own emailing engine
    * Installs itself in the Registry

Aliases  
    * Worm.Win32.Feebs.gen
    * JS/Feebs.gen.c@MM

Prevalence (1-5) 2
Description
W32/Feebs-E is a worm for the Windows platform.

The worm may arrive as an attachment to an email claiming to be sent 
via "Protected Message service" with bogus credentials. The message 
may lure the recipient into entering the supplied credentials into an 
attached HTML document.

W32/Feebs-E spreads via file sharing on P2P networks.

Advanced
W32/Feebs-E is a worm for the Windows platform.

The worm may arrive as an attachment to an email claiming to be sent 
via "Protected Message service" with bogus credentials. The message 
may lure the recipient into entering the supplied credentials into an 
attached HTML document.

W32/Feebs-E spreads via file sharing on P2P networks.

When first run W32/Feebs-E copies itself to:

<System>\ms<xx>.exe
<System>\ms<xx>

and creates the <System>\ms32.dll where are random characters and 
ms32.dll is a DLL component of the worm.

The following registry entry is created to run code exported by the 
worm library on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ 
ShellServiceObjectDelayLoad
ms<xx>32.dll
<random CLSID>

The file ms<xx>32.dll is registered as a COM object, creating 
registry entries under:

HKCR\CLSID\<random CLSID>\InprocServer32

W32/Feebs-E copies itself to the available shared folders using the 
following filenames:

3dsmax_9_(3D_Studio_Max)_new!_full+crack.zip
ACDSee_9_new!_full+crack.zip
Adobe_Photoshop_10_(CS3)_new!_full+crack.zip
Adobe_Premiere_9_(2.0_pro)_new!_full+crack.zip
Ahead_Nero_8_new!_full+crack.zip
DivX_7.0_new!_full+crack.zip
ICQ_2006_new!_full+crack.zip
Internet_Explorer_7_new!_full+crack.zip
Kazaa_4_new!_full+crack.zip
Longhorn_new!_full+crack.zip
Microsoft_Office_2006_new!_full+crack.zip
winamp_5.2_new!_full+crack.zip

Registry entries are created under:

HKLM\SOFTWARE\Microsoft\MSAE\





Name   Troj/Drsmartl-E

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet

Aliases  
    * Trojan-Downloader.Win32.Adload.j

Prevalence (1-5) 2

Description
Troj/Drsmartl-E is a Trojan for the Windows platform.

Troj/Drsmartl-E includes functionality to download, install and run 
new software without notification that it is doing so. The Trojan 
typically installs advertising software.





Name   W32/Sdbot-AQH

Type  
    * Worm

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Downloads code from the internet
    * Installs itself in the Registry

Aliases  
    * Backdoor.Win32.SdBot.alv
    * New

Prevalence (1-5) 2

Description
W32/Sdbot-AQH is a worm and IRC backdoor Trojan for the Windows 
platform.

W32/Sdbot-AQH runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

W32/Sdbot-AQH includes functionality to access the internet and 
communicate with a remote server via HTTP.

Advanced
W32/Sdbot-AQH is a worm and IRC backdoor Trojan for the Windows 
platform.

W32/Sdbot-AQH runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

W32/Sdbot-AQH includes functionality to access the internet and 
communicate with a remote server via HTTP.

When first run W32/Sdbot-AQH copies itself to <System>\RpcCenter.exe.

The file RpcCenter.exe is registered as a new system driver service 
named "RpcCenter", with a display name of "Remote Procedure Call 
(RPC) Center" and a startup type of automatic, so that it is started 
automatically during system startup. Registry entries are created 
under:

HKLM\SYSTEM\CurrentControlSet\Services\RpcCenter\

W32/Sdbot-AQH sets the following registry entries, disabling the 
automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4

Registry entries are set as follows:

HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1

Registry entries are created under:

HKLM\SOFTWARE\Microsoft\Security Center\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\





Name   Troj/Clckr-W

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Steals information
    * Installs itself in the Registry
    * Leaves non-infected files on computer

Aliases  
    * AdClicker-DW
    * Trojan-Downloader.Win32.Small.cgz
    * Trojan-Clicker.Win32.Bomka.d

Prevalence (1-5) 2

Description
Troj/Clckr-W is a Trojan for the Windows platform.

Troj/Clckr-W is capable of spying on a user's browsing habits, 
modifying Microsoft Internet Explorer settings, downloading further 
executables and displaying popup advertisements.

Advanced
Troj/Clckr-W is a Trojan for the Windows platform.

Troj/Clckr-W is capable of spying on a user's browsing habits, 
modifying Microsoft Internet Explorer settings, downloading further 
executables and displaying popup advertisements.

When Troj/Clckr-W is installed the following files are created:

<Temp>\Documentazione_riservata.pps
<Windows system folder>\kaboom.dll
<Windows system folder>\msx.dll

The files kaboom.dll and msx.dll are registered as COM objects and 
Browser Helper Objects (BHOs) for Microsoft Internet Explorer, 
creating registry entries under:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser 
Helper Objects\
{037CE595-57CB-4EB5-9775-97BC112F3BB3}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser 
Helper Objects\
{25E1A054-1262-459F-9F14-BF06148F4253}
HKCR\CLSID\{037CE595-57CB-4EB5-9775-97BC112F3BB3}
HKCR\CLSID\{25E1A054-1262-459F-9F14-BF06148F4253}
HKCR\Interface\{675F23A3-14DD-4A36-82AA-25C06E1015C3}
HKCR\Interface\{7E951E5E-C57B-41ED-806F-1FBB2E4538C1}
HKCR\Kaboom.Ckbm\
HKCR\Kaboom.Ckbm.1\
HKCR\TypeLib\{140F2204-A6BF-444A-960B-947C5A265A8C}
HKCR\TypeLib\{3E55D5AA-2006-4572-BCF3-643D6AAB9063}
HKCR\do.msx\
HKCR\do.msx.1\

Registry entries are created under:

HKCU\Software\Microsoft\Office\8.0\Common\General\
HKLM\SOFTWARE\Microsoft\zeal\





Name   Troj/Dloadr-HR

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Downloads code from the internet

Prevalence (1-5) 2

Description
Troj/Dloadr-HR is a Trojan for the Windows platform.

Troj/Dloadr-HR includes functionality to download, install and run 
new software.

Advanced
Troj/Dloadr-HR is a Trojan for the Windows platform.

Troj/Dloadr-HR includes functionality to download, install and run 
new software.

When Troj/Dloadr-HR is installed the following files are created:

\1.bat - this file may be deleted
<System>\uj.exe - detected as Troj/CashGrab-K

The following registry entries are set, affecting internet security:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FiREWaLL
policy\

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FiREWaLL
policy
StAnDaRDPrOFiLe\

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FiREWaLL
policy
StAnDaRDPrOFiLe\AUtHorizedapplications\

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FiREWaLL
policy
StAnDaRDPrOFiLe\AUtHorizedapplications\List\

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FiREWaLL
policy
StAnDaRDPrOFiLe\AUtHorizedapplications\List
<pathname of the Trojan executable>
<original filename>:*:Enabled:cmsscs





Name   W32/Feebs-G

Type   
    * Worm

How it spreads  
    * Email messages
    * Network shares
    * Peer-to-peer

Affected operating systems  
    * Windows

Side effects  
    * Drops more malware
    * Downloads code from the internet
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
W32/Feebs-G is a worm for the Windows Platform.

W32/Feebs-G may download or drop other files.





Name   Troj/Dropper-EB

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Drops more malware

Aliases  
    * AdClicker-DW
    * Trojan.Adclicker
    * Trojan-Downloader.Win32.Small.cgz
    * Trojan-Clicker.Win32.Bomka.d

Prevalence (1-5) 2

Description
Troj/Dropper-EB is a Trojan for the Windows platform.

Troj/Dropper-EB may arrive as attachment with the filename game.zip 
in email with the subject that suggest to open new "Game for you".

Troj/Dropper-EB drops kaboom.dll and msx.dll files that are detected 
as Troj/Clckr-W.

Advanced
Troj/Dropper-EB is a Trojan for the Windows platform.

Troj/Dropper-EB may arrive as attachment with the filename game.zip 
in email with the subject that suggest to open new "Game for you".

When Troj/Dropper-EB is installed the following files are created:

<Temp>\game1.exe
<System>\kaboom.dll
<System>\msx.dll

The files kaboom.dll and msx.dll are detected as Troj/Clckr-W, 
game1.exe is a joke application that flips the Windows desktop making 
everything upside down.

The files kaboom.dll and msx.dll are registered as COM objects and 
Browser Helper Objects (BHOs) for Microsoft Internet Explorer, 
creating registry entries under:

HKCR\CLSID\(037CE595-57CB-4EB5-9775-97BC112F3BB3)
HKCR\CLSID\(25E1A054-1262-459F-9F14-BF06148F4253)
HKCR\Interface\(675F23A3-14DD-4A36-82AA-25C06E1015C3)
HKCR\Interface\(7E951E5E-C57B-41ED-806F-1FBB2E4538C1)
HKCR\Kaboom.Ckbm\
HKCR\Kaboom.Ckbm.1\
HKCR\TypeLib\(140F2204-A6BF-444A-960B-947C5A265A8C)
HKCR\TypeLib\(3E55D5AA-2006-4572-BCF3-643D6AAB9063)
HKCR\do.msx\
HKCR\do.msx.1\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser 
Helper Objects\(037CE595-57CB-4EB5-9775-97BC112F3BB3)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser 
Helper Objects\(25E1A054-1262-459F-9F14-BF06148F4253)

Registry entries are created under:

HKLM\SOFTWARE\Microsoft\zeal\





Name   W32/Sdbot-AOP

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer

Aliases  
    * W32/Sdbot.worm.gen.h
    * Backdoor.Win32.IRCBot.cg

Prevalence (1-5) 2

Description
W32/Sdbot-AOP is an IRC worm for the Windows platform.





Name   Troj/Stinx-O

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Allows others to access the computer
    * Downloads code from the internet
    * Reduces system security
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
Troj/Stinx-O is a backdoor Trojan for the Windows platform.

Troj/Stinx-O includes functionality to download and execute further 
code and attempts to disable various security related processes.

Advanced
Troj/Stinx-O is a backdoor Trojan for the Windows platform.

Troj/Stinx-O includes functionality to download and execute further 
code and attempts to disable various security related processes.

Troj/Stinx-O attempts to connect to a pre-defined IRC server on port 
8080 and awaits further commands from a remote user.

When first run Troj/Stinx-O copies itself to <Windows system 
folder>\csrwnd.exe and creates the following files:

<Temp>\696.bat
<Temp>\910.bat

The following registry entries are created to run csrwnd.exe on 
startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
SystemProcEvent
csrwnd.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SystemProcEvent
csrwnd.exe





Name   Troj/Stinx-P

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Reduces system security
    * Installs itself in the Registry

Aliases  
    * Backdoor.Win32.Breplibot.x

Prevalence (1-5) 2

Description
Troj/Stinx-P is a backdoor Trojan for the Windows platform.

Troj/Stinx-P connects to one of several IP addresses and runs 
continuously in the background, providing a backdoor server which 
allows a remote intruder to gain access and control over the computer 
via IRC channels.

Troj/Stinx-P can be instructed to delete, and download and execute 
files.

Advanced
Troj/Stinx-P is a backdoor Trojan for the Windows platform.

Troj/Stinx-P connects to one of several IP addresses and runs 
continuously in the background, providing a backdoor server which 
allows a remote intruder to gain access and control over the computer 
via IRC channels.

When first run Troj/Stinx-P copies itself to <System>\csrwnd.exe.

The following registry entries are created to run csrwnd.exe on 
startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
SystemProcEvent
csrwnd.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SystemProcEvent
csrwnd.exe

Troj/Stinx-P can be instructed to delete, and download and execute 
files.

Troj/Stinx-P will attempt to circumvent the Windows Firewall if it is 
present by adding itself to the list of allowed programs.

 
--- MultiMail/Win32 v0.43
 * Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)