Text 178, 483 rader
Skriven 2006-03-04 12:15:00 av KURT WISMER (1:123/140)
Ärende: News, March 4 2006
==========================
[cut-n-paste from sophos.com]
Name Troj/Bancos-PV
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
* Uses its own emailing engine
* Records keystrokes
* Installs itself in the Registry
Aliases
* Trojan-Spy.Win32.Bancos.u
Prevalence (1-5) 2
Description
Troj/Bancos-PV is a password stealing Trojan for the Windows platform.
When Troj/Bancos-PV is executed the Trojan will copy itself to the
Windows
system file as sampaerio.exe the following file is created:
<Windows>\ieupdate.dat(harmless)
Advanced
Troj/Bancos-PV is a password stealing Trojan for the Windows platform.
When Troj/Bancos-PV is executed the Trojan will copy itself to the
Windows
system file as sampaerio.exe the following file is created:
<Windows>\ieupdate.dat(harmless)
The following registry entry is created to run sampaerio.exe on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Mapa de caracteres para NT
<Windows>\sampaerio.exe
Name Troj/FeebDl-H
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
Aliases
* JS/Feebs.gen.d@MM
Prevalence (1-5) 2
Description
Troj/FeebDl-H is an HTML file which acts as a downloader Trojan for
the Windows Platform.
Troj/FeebDl-H attempts to download one of several encoded executable
files and decode it to C:\recycled\userinit.exe. At the time of
writing this file is detected by Sophos as W32/Feebs-Gen.
Advanced
Troj/FeebDl-H is an HTML file which acts as a downloader Trojan for
the Windows Platform.
Troj/FeebDl-H attempts to download one of several encoded executable
files and decode it to C:\recycled\userinit.exe. At the time of
writing this file is detected by Sophos as W32/Feebs-Gen.
Troj/FeebDl-H attempts to set the following registry entries:
HKCU\Software\Microsoft\Internet Explorer
mal
<email address>
Troj/FeebDl-H attempts to delete the following registry entries:
HKLM\SYSTEM\CurrentControlSet\Services\KmxFile
HKLM\SYSTEM\CurrentControlSet\Services\pcipim
HKLM\SYSTEM\CurrentControlSet\Services\pcIPPsC
HKLM\SYSTEM\CurrentControlSet\Services\RapDrv
HKLM\SYSTEM\CurrentControlSet\Services\FirePM
Troj/FeebDl-H attempts to set the following registry entry in order
to automatically run the file it has downloaded when Windows starts up:
HKLM\SOFTWARE\Microsoft\Active Setup\Installed
Components\(CD5AC91B-AE7B-E83A-0C4C-E616075972F3)
Stubpath
C:\recycled\userinit.exe
Name Troj/FeebDl-I
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Aliases
* JS/Feebs.gen.d@MM
* W32.Feebs
Prevalence (1-5) 2
Description
Troj/FeebDl-I is an HTML file which acts as a downloading Trojan for
the Windows Platform.
Troj/FeebDl-I attempts to download one of several encoded executable
files and decode it to C:\recycled\userinit.exe.
Advanced
Troj/FeebDl-I is an HTML file which acts as a downloading Trojan for
the Windows Platform.
Troj/FeebDl-I attempts to download one of several encoded executable
files and decode it to C:\recycled\userinit.exe.
Troj/FeebDl-I attempts to set the following registry entries:
HKCU\Software\Microsoft\Internet Explorer
mal
<email address>
Troj/FeebDl-I attempts to delete the following registry entries:
HKLM\SYSTEM\CurrentControlSet\Services\KmxFile
HKLM\SYSTEM\CurrentControlSet\Services\pcipim
HKLM\SYSTEM\CurrentControlSet\Services\pcIPPsC
HKLM\SYSTEM\CurrentControlSet\Services\RapDrv
HKLM\SYSTEM\CurrentControlSet\Services\FirePM
Troj/FeebDl-I attempts to set the following registry entry in order
to automatically start the file it has downloaded on system start:
HKLM\SOFTWARE\Microsoft\Active Setup\Installed
Components\(CD5AC91B-AE7B-E83A-0C4C-E616075972F3)
Stubpath
C:\recycled\userinit.exe
Name Troj/Haxdoor-AX
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Drops more malware
* Installs itself in the Registry
Aliases
* Trojan-Spy.Win32.Goldun.hw
* BackDoor-BAC.gen.dr
Prevalence (1-5) 2
Description
Troj/Haxdoor-AX is a backdoor Trojan for the Windows platform.
Troj/Haxdoor-AX drops components detected as Troj/Haxdor-Gen and
Troj/Haxdor-Fam.
Advanced
Troj/Haxdoor-AX is a backdoor Trojan for the Windows platform.
When Troj/Haxdoor-AX is installed the following files are created:
<Windows system folder>\directprt.sys
<Windows system folder>\directpt.dll
The file directprt.sys is detected as Troj/Haxdor-Gen and the file
directpt.dll is detected as Troj/Haxdor-Fam.
The following registry entries are created to run code exported by
directpt.dll on startup:
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\directpt
DllName
directpt.dll
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\directpt
Startup
directpt
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\directpt
Impersonate
1
Name Troj/Proxy-BC
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Reduces system security
Prevalence (1-5) 2
Description
Troj/Proxy-BC is a Trojan for the Windows platform.
The Trojan allows remote attackers the ability to route HTTP traffic
through the infected computer.
Name Troj/Dloadr-MD
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Prevalence (1-5) 2
Description
Troj/Dloadr-MD is a downloader Trojan for the Windows platform.
Troj/Dloadr-MD includes functionality to access the internet and
communicate with a remote server via HTTP.
Troj/Dloadr-MD may attempt to disable or subvert the Windows Firewall.
Name W32/Bagle-FN
Type
* Worm
Affected operating systems
* Windows
Side effects
* Dropped by malware
Prevalence (1-5) 2
Description
W32/Bagle-FN is a DLL helper component of the Bagle family of worms.
W32/Bagle-FN may be dropped from members of the Bagle family of worms.
Name W32/Rbot-CJY
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Prevalence (1-5) 2
Description
W32/Rbot-CJY is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Rbot-CJY runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
Advanced
W32/Rbot-CJY is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Rbot-CJY runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
When first run W32/Rbot-CJY copies itself to <System>\ouvselglip.EXE.
The following registry entries are created to run ouvselglip.EXE on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MICROSFT NT SUPPORT
ouvselglip.EXE
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
MICROSFT NT SUPPORT
ouvselglip.EXE
The following registry entry is set:
HKCU\Software\Microsoft\OLE
MICROSFT NT SUPPORT
ouvselglip.EXE
Name W32/Rbot-CKM
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
Aliases
* BKDR_RBOT.EBH
Prevalence (1-5) 2
Description
W32/Rbot-CKM is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Rbot-CKM runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Rbot-CKM spreads by copying itself to network shares protected by
weak passwords.
Advanced
W32/Rbot-CKM is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Rbot-CKM runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Rbot-CKM spreads by copying itself to network shares protected by
weak passwords.
When first run W32/Rbot-CKM copies itself to <System>\csrrs.exe.
The following registry entries are created to run csrrs.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
csr
csrrs.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
csr
csrrs.exe
The following registry entry is set:
HKCU\Software\Microsoft\OLE
csr
csrrs.exe
Name Troj/SysBDr-G
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Drops more malware
Aliases
* SpamTool.Win32.Mailbot.as
Prevalence (1-5) 2
Description
Troj/SysBDr-G is a Trojan for the Windows platform.
Advanced
Troj/SysBDr-G is a Trojan for the Windows platform.
When Troj/SysBDr-G is installed it creates the file
<System>\drivers\sysbus32.sys.
The sysbus32.sys file is detected by Sophos as Troj/SysB-C.
Name Troj/BankSnif-H
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/BankSnif-H is a Trojan for the Windows platform.
Advanced
Troj/BankSnif-H is a Trojan for the Windows platform.
When first run Troj/BankSnif-H copies itself to <User>\order_smey.exe
and creates the file <User>\order_opt3.bin.
Troj/BankSnif-H will inject code into iexplore.exe and monitor
internet traffic.
The following registry entry is created to run order_smey.exe on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
order_Shell
<User>\order_smey.exe
--- MultiMail/Win32 v0.43
* Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)
|