Text 184, 1253 rader
Skriven 2006-04-16 11:19:00 av KURT WISMER (1:123/140)
Ärende: News, April 16 2006
===========================
[cut-n-paste from sophos.com]
Name W32/Rbot-DPM
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Used in DOS attacks
Aliases
* Backdoor.Win32.Rbot.awg
* W32/Sdbot.PAM
Prevalence (1-5) 2
Description
W32/Rbot-DPM is a worm for the Windows platform.
W32/Rbot-DPM spreads
- to computers vulnerable to common exploits, including: LSASS
(MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049), PNP (MS05-039) and
ASN.1 (MS04-007)
- to MSSQL servers protected by weak passwords
- to network shares
The backdoor component connects to an IRC server and awaits commands
from remote attackers.
Advanced
W32/Rbot-DPM is a worm for the Windows platform.
When first run W32/Rbot-DPM copies itself to <System>\snmoo.exe
The following registry entries are created to run snmoo.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Inom
snmoo.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Inom
snmoo.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
Inom
snmoo.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Inom
snmoo.exe
Registry entries are set as follows:
HKCU\SYSTEM\CurrentControlSet\Control\Lsa
Inom
snmoo.exe
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
Inom
snmoo.exe
HKCU\Software\Microsoft\OLE
Inom
snmoo.exe
HKLM\SOFTWARE\Microsoft\Ole
Inom
snmoo.exe
W32/Rbot-DPM spreads
- to computers vulnerable to common exploits, including: LSASS
(MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049), PNP (MS05-039) and
ASN.1 (MS04-007)
- to MSSQL servers protected by weak passwords
- to network shares
The backdoor component connects to an IRC server and awaits commands
from remote attackers.
Name Troj/Agent-BEK
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Modifies data on the computer
* Reduces system security
* Installs itself in the Registry
* Leaves non-infected files on computer
Prevalence (1-5) 2
Description
Troj/Agent-BEK is a Trojan for the Windows platform.
Troj/Agent-BEK creates randomly named shortcuts in the <Favorites>
folder.
The Trojan waits for an Internet Explorer window to open and then
displays a pop
up.
Advanced
Troj/Agent-BEK is a Trojan for the Windows platform.
Troj/Agent-BEK creates randomly named shortcuts in the folder.
The following registry entries are set, affecting internet security:
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\17hib.com\
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\17hib.com
*
2
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\51hi8.com\
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\51hi8.com
*
2
Name Troj/Dloadr-AVQ
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Aliases
* Downloader-AVQ
* Trojan-Downloader.Win32.Agent.afl
Prevalence (1-5) 2
Description
Troj/Dloadr-AVQ is a Trojan for the Windows platform.
The Trojan downloads and installs files from a remote site.
Name Troj/ExpHm-B
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Prevalence (1-5) 2
Description
Troj/ExpHm-B is a downloading Trojan for the Windows platform.
Advanced
Troj/ExpHm-B is a Trojan for the Windows platform.
When run, Troj/ExpHm-B executes shell code from within Internet
Explorer which attempts to download and run \cpu.exe.
Name W32/Agobot-ABR
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Win32.Agobot.gen
* W32.IRCBot
Prevalence (1-5) 2
Description
W32/Agobot-ABR is a worm with backdoor functionality for the Windows
platform.
W32/Agobot-ABR spreads to other network computers by exploiting
common buffer overflow vulnerabilities, including: PNP (MS05-039) and
ASN.1 (MS04-007).
W32/Agobot-ABR runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
Advanced
W32/Agobot-ABR is a worm with backdoor functionality for the Windows
platform.
W32/Agobot-ABR spreads to other network computers by exploiting
common buffer overflow vulnerabilities, including: PNP (MS05-039) and
ASN.1 (MS04-007).
W32/Agobot-ABR runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
When first run W32/Agobot-ABR copies itself to <Windows system
folder>\sslphp32.exe.
The following registry entries are created to run sslphp32.exe on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Svcphpwin
sslphp32.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Svcphpwin
sslphp32.exe
Registry entries are set as follows:
HKCU\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
NoAutoUpdate
1
HKCU\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
AUOptions
1
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
NoAutoUpdate
1
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
AUOptions
1
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
AUOptions
1
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
0
Registry entries are created under:
HKCU\Software\Microsoft\Security Center\
HKLM\SOFTWARE\Microsoft\Security Center\
Name W32/Francette-Z
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Win32.Delf.abc
* Win32/Tumbi
Prevalence (1-5) 2
Description
W32/Francette-Z is a worm and backdoor Trojan for the Windows platform.
W32/Francette-Z spreads to other network computers by exploiting
common buffer
overflow vulnerabilities, including RPC-DCOM (MS04-012).
Advanced
W32/Francette-Z is a worm and backdoor Trojan for the Windows platform.
W32/Francette-Z spreads to other network computers by exploiting
common buffer
overflow vulnerabilities, including RPC-DCOM (MS04-012).
W32/Francette-Z runs continuously in the background, providing a
backdoor server
which allows a remote intruder to gain access and control over the
computer via
IRC channels.
The following registry entry is created to run W32/Francette-Z on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft IIS
<pathname of the Trojan executable>
Name Troj/Mlsuc-A
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Uses its own emailing engine
* Downloads code from the internet
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/Mlsuc-A is a backdoor Trojan for the Windows platform.
Troj/Mlsuc-A includes functionality to send notification messages to
remote locations.
Advanced
Troj/Mlsuc-A is a backdoor Trojan for the Windows platform.
Troj/Mlsuc-A includes functionality to send notification messages to
remote locations.
When Troj/Mlsuc-A is installed it creates the following clean files:
<System>\delself.bat
<System>\res.dat
<System>\res.tmp
The following registry entry is created to run Troj/Mlsuc-A on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
DrCache
<pathname of the Trojan executable>
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
DrCache
<pathname of the Trojan executable>
Troj/Mlsuc-A attempts to delete these registry entries if it detects
that regedit.exe or taskmgr.exe are running. However it in fact
deletes entries with the name "MS NetVR" instead, which are set by
the similar Trojan Troj/Agent-AN.
Troj/Mlsuc-A may perform a number of actions if instructed to do so
by a remote user, including sending emails, rebooting the computer,
sending and receiving files, and executing files.
Name Troj/Bdoor-YL
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
Prevalence (1-5) 2
Description
Troj/Bdoor-YL is a backdoor Trojan.
Troj/Bdoor-YL includes an FTP server and IRC file transfer program as
well as a number of legitimate applications.
Advanced
Troj/Bdoor-YL is a backdoor Trojan.
Troj/Bdoor-YL includes an FTP server and IRC file transfer program as
well as a number of legitimate applications.
Troj/Bdoor-YL may install the following files:
cygcrypt-0.dll
cygwin1.dll
install.bat
install.exe
mdrctrl.dll
mss.ini
msvcr70.dll
msvcr80.dll
packs.txt
rundll32.dll
schedsvc32.dll
schedsvc32.exe
ServUCert.key
ServUDaemon.ini
ServUPerfCount.dll
ServUStartUpLog.txt
snmpapi.dll
spoolsv.exe
spoolsv32.exe
welcome.txt
Install.bat, mss.ini, schedsvc32.exe, spoolsv.exe and spoolsv32.exe
are detected as Troj/Bdoor-YL. All other files are legitimate
applications or their associated data files.
Troj/Bdoor-YL may install itself as services named SessionUpdate and
Smhost.
Name Troj/Proxy-CE
Type
* Trojan
Affected operating systems
* Windows
Prevalence (1-5) 2
Description
Troj/Proxy-CE is a proxy Trojan for the Windows platform.
The Trojan changes internet settings in order that network traffic is
directed to a remote address, unknown to the infected user.
Advanced
Troj/Proxy-CE is a proxy Trojan for the Windows platform.
The Trojan changes internet settings in order that network traffic is
directed to a remote address, unknown to the infected user.
The following registry entries are set:
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyServer
<proxy IP address>:9870
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
31
Name W32/Letum-A
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Sends itself to email addresses found on the infected computer
* Forges the sender's email address
* Uses its own emailing engine
* Installs itself in the Registry
Aliases
* Email-Worm.Win32.Letum.a
* WORM_LETUM.A
* MSIL/Letum.a@MM
* MSIL.Letum.A@mm
Prevalence (1-5) 2
Description
W32/Letum-A is a mass-mailing and newsgroup messaging worm for the
Windows platform.
Emails and newsgroup messages sent by W32/Letum-A have the following
characteristics:
From:
Symantec Security Response
Subject lines chosen from:
Warning!
Virus Alert
Customer Support
Re:
Re:Warning
Letum
Virus Report
Message text:
'Dear Users
Due to the high increase of the Letum worm, we have upgraded it to
Category B. Please use our attached removal tool to scan and
disinfect your computer from the malware.
Regards
Security Response'
'Hiya,
I've found this tool a couple of weeks ago, and after using it i was
surprised on how good it was on squashing viruses. I wonder if avers
know about this? ;)'
'Maybe not but try this, i'm sure it will help you in your fight
against malware. The engine it uses isnt to bad, but the searching
speed is very fast for such a small size '
Emails sent by the worm have the file attachment of a copy of the
worm as test.exe.
Newsgroup messages sent by the worm also enclose a copy of the worm
executable.
Advanced
W32/Letum-A is a mass-mailing and newsgroup messaging worm for the
Windows platform.
Once installed W32/Letum-A attempts to harvest SMTP and NNTP server
settings from the Microsoft Internet Account Manager under the
registry entry:
HKCU\Software\Microsoft\Internet Account Manager
If the SMTP server setting is not found, W32/Letum-A uses the default
host mail.primaryhost.org.uk.
If the NNTP server setting is not found, W32/Letum-A uses the default
host news.microsoft.com.
Emails and newsgroup messages sent by W32/Letum-A have the following
characteristics:
From:
Symantec Security Response
Subject lines chosen from:
Warning!
Virus Alert
Customer Support
Re:
Re:Warning
Letum
Virus Report
Message text:
'Dear Users
Due to the high increase of the Letum worm, we have upgraded it to
Category B. Please use our attached removal tool to scan and
disinfect your computer from the malware.
Regards
Security Response'
'Hiya,
I've found this tool a couple of weeks ago, and after using it i was
surprised on how good it was on squashing viruses. I wonder if avers
know about this? ;)'
'Maybe not but try this, i'm sure it will help you in your fight
against malware. The engine it uses isnt to bad, but the searching
speed is very fast for such a small size '
Emails sent by the worm have the file attachment of a copy of the
worm as test.exe.
Newsgroup messages sent by the worm also enclose a copy of the worm
executable.
When run W32/Letum-A attempts to copy itself to a random folder as
Letum.exe.
W32/Letum-A creates the following registry entry to run itself on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Letum
<path to worm executable>\Letum.exe
W32/Letum-A also creates the following registry entry:
HKCU\Software\Retro
Letum
<path to worm executable>\Letum.exe
W32/Letum-A may also display a message box with the characteristics:
Title:
'Name Entry Error'
Message:
'GeNeTiX is a person not a f**king genetically modified food product.
She's not happy you called her that!
Regards'
Name W32/Tilebot-EK
Type
* Trojan
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Drops more malware
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Win32.Aimbot.df
* W32/Kelvir.worm.gen
* WORM_KELVIR.CW
Prevalence (1-5) 2
Description
W32/Tilebot-EK is a worm with backdoor Trojan functionality.
The worm may spread by copying itself to remote network shares or by
exploiting any of the following vulnerabilities: LSASS (MS04-011),
RPC-DCOM (MS04-012), ASN.1 (MS04-007).
Advanced
W32/Tilebot-EK is a worm with backdoor Trojan functionality.
The worm may spread by copying itself to remote network shares or by
exploiting any of the following vulnerabilities: LSASS (MS04-011),
RPC-DCOM (MS04-012), ASN.1 (MS04-007).
When first run W32/Tilebot-EK copies itself to <Windows>\nssrv.exe
and creates the following file:
<System>\rofl.sys
The file rofl.sys is detected as Troj/RKPort-A.
The file nssrv.exe is registered as a new system driver service named
"Microsoft Name Server", with a display name of "Microsoft Name
Server" and a startup type of automatic, so that it is started
automatically during system startup. Registry entries are created
under:
HKLM\SYSTEM\CurrentControlSet\Services\Microsoft Name Server\
The file rofl.sys is registered as a new system driver service named
"rofl", with a display name of "rofl". Registry entries are created
under:
HKLM\SYSTEM\CurrentControlSet\Services\rofl\
W32/Tilebot-EK sets the following registry entries, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4
Registry entries are set as follows:
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
Registry entries are created under:
HKLM\SOFTWARE\Microsoft\Security Center\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\
Name W32/Bagle-GM
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Sends itself to email addresses found on the infected computer
* Forges the sender's email address
* Uses its own emailing engine
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Trojan-Dropper.Win32.Agent.ami
* Trojan.Dropper.Small-66
* Trojan.Clicker.Agent-41
Prevalence (1-5) 2
Description
W32/Bagle-GM is a mass-mailing worm for the Windows platform.
Messages sent by the worm will have the following characteristics:
Subject: chosen randomly from
=?koi8-r?Q?=F0=D2=C9=D7=C5=D4=2C=CB=C1=CB=C9=C5_=CE=CF=D7=CF=D3=D4=C9=3
F?=
=?koi8-r?Q?=F4=D9_=D3=C5=C7=CF=C4=CE=D1_=CB=CF_=CD=CE=C5_=D0=D2=C9=C5=C
4?=
=?koi8-r?Q?=C5=DB=D8=3F?=
=?koi8-r?Q?=F1_=D4=C5=C2=D1_=D3=C5=C7=CF=C4=CE=D1_=D7=C9=C4=C5=CC=C1?=
Message text: non-Latin characters
Attachment name: chosen randomly from
new.cab
me.cab
you.cab
cool.cab
Re.cab
Advanced
W32/Bagle-GM is a mass-mailing worm for the Windows platform.
Messages sent by the worm will have the following characteristics:
Subject: chosen randomly from
=?koi8-r?Q?=F0=D2=C9=D7=C5=D4=2C=CB=C1=CB=C9=C5_=CE=CF=D7=CF=D3=D4=C9=3
F?=
=?koi8-r?Q?=F4=D9_=D3=C5=C7=CF=C4=CE=D1_=CB=CF_=CD=CE=C5_=D0=D2=C9=C5=C
4?=
=?koi8-r?Q?=C5=DB=D8=3F?=
=?koi8-r?Q?=F1_=D4=C5=C2=D1_=D3=C5=C7=CF=C4=CE=D1_=D7=C9=C4=C5=CC=C1?=
Message text: non-Latin characters
Attachment name: chosen randomly from
new.cab
me.cab
you.cab
cool.cab
Re.cab
The attachment is a CAB archive containing a file with a random
basename and one of the following double extensions:
.cab .cpl
.doc .cpl
.txt .cpl
.avi .cpl
.mpeg .cpl
This file is also detected as W32/Bagle-GM.
When first run W32/Bagle-GM copies itself to <Windows
folder>\csrss.exe.
The following registry entry is changed to run W32/Bagle-GM on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File
Execution Options\explorer.exe
Debugger
<Windows folder>\csrss.exe
W32/Bagle-GM creates registry entries for its own use beneath
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Devices
W32/Bagle-GM contains functionality to download and install updated
versions of itself from preconfigured URLs.
Name W32/Mytob-HG
Type
* Worm
How it spreads
* Email attachments
* Network shares
* Chat programs
* Peer-to-peer
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Sends itself to email addresses found on the infected computer
* Forges the sender's email address
* Uses its own emailing engine
* Installs itself in the Registry
* Leaves non-infected files on computer
Aliases
* Net-Worm.Win32.Small.k
* W32.Mydoom!gen
* WORM_MYTOB.PG
Prevalence (1-5) 2
Description
W32/Mytob-HG is a mass-mailing worm with IRC backdoor functionality.
W32/Mytob-HG spreads:
- via email and Instant Messaging networks
- via filesharing on P2P networks
- through network shares with weak passwords
- to other network computers infected with other backdoors
- to other network computers by exploiting common buffer overflow
vulnerabilities
W32/Mytob-HG runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer through IRC channels.
W32/Mytob-HG sends emails with the following characteristics:
Subject: none, or chosen randomly from
test
hi
hello
Mail Delivery System
Mail Transaction Failed
Server Report
Status
Error
Advanced
W32/Mytob-HG is a mass-mailing worm with IRC backdoor functionality.
W32/Mytob-HG spreads:
- via email and Instant Messaging networks
- via filesharing on P2P networks
- through network shares with weak passwords
- to other network computers infected with: Troj/Kuang, Troj/Sub7,
Troj/NetDevil, W32/MyDoom, W32/Bagle, Troj/Optix
- to other network computers by exploiting common buffer overflow
vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012),
WebDav
(MS03-007), IIS5SSL (MS04-011), DameWare (CAN-2003-1030), MSSQL
(MS02-039) and
PnP (MS05-039).
W32/Mytob-HG runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer through IRC channels.
W32/Mytob-HG sends emails with the following characteristics:
From: an address harvested from the infected computer
Subject: none, or chosen randomly from
test
hi
hello
Mail Delivery System
Mail Transaction Failed
Server Report
Status
Error
Message text: none, or chosen randomly from
test
The message cannot be represented in 7-bit ASCII encoding and has
been sent as a binary attachment.
The message contains Unicode characters and has been sent as a binary
attachment.
Mail transaction failed. Partial message is available.
Attachment: one of the following basenames
document
readme
doc
text
file
data
test
message
body
The attached file may be a zip archive, containing a copy of the worm
executable with a double extension. In all other cases, the attached
file is the worm executable itself, with one of the extensions PIF,
SCR, EXE, CMD or BAT.
W32/Mytob-HG spreads by IM networks such as Yahoo, MSN Messenger and
AOL, as well as IRC. Messages sent by the worm contain one of the
following descriptions:
LOL, this shit is funny
lol, don't forget to watch this video
your going to like this :D
hehe, watch this
look at this video
just look at this brother
The worm will then attempt a file transfer using one of the following
filenames:
funny3.scr
crazyjump.scr
lucky.scr
mjackson.scr
picture1.scr
haha.scr
funny1.scr
funny2.scr
exposed.scr
crazy5.scr
HoT.pif
The worm may also send a link to itself of the form
http://<ip>:2001/<filename>
(where <ip> is the IP address of the infected computer)
W32/Mytob-HG copies itself to the shared folders of various P2P
applications with the following filenames:
activation_crack
Alcohol_120%%_patch
Angilina_Jolie_Sucks_a_Dick
Britney_Spears_sucks_someones_dick.scr
BritneySpears_SoSexy
DAP7.4.x.x_crack
DarkAngel_Lady_get_fucked_so_hardly
dcom_patch
icq2006-final
JenniferLopez_Film_Sexy_Enough
KAV2006_Crack
lcc-win32_update
LimeWire_speed++
Madonna_the_most_sexiest_girl_in_the_world.com
Mariah_Carey_showering_in_bathroom.com
MSN7.0Loader
MSN7.0UniversalPatch
nice_big_asshole_fuck_Jennifer_Lopez.scr
NortonAV2006_Crack
notepad++
nuke2006
office_crack
Opera8
Outlook_hotmail+_fix
RealPlayerv10.xx_crack
rootkitXP
strip-girl-3.0
TaskCatcher
winamp6
YahooMessenger_Loader
ZoneAlarmPro6.xx_Crack
When first run, W32/Mytob-HG copies itself to 0.exe in the Windows
system folder. The worm then creates the following registry entry in
order to be run on startup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
[string]
<Windows system folder>\0.exe
(Where string may change including variations like 'begin', 'solid',
etc.)
W32/Mytob-HG attempts to terminate the following security-related
processes:
_AVPCC.EXE
_AVPM.EXE
_FINDVIRU.EXE
ACKWIN32.EXE
ALOGSERV.EXE
AMON.EXE
ANTI-TROJAN.EXE
APVXDWIN.EXE
ATGUARD.EXE
AVE32.EXE
AVKSERV.EXE
AVNT.EXE
AVPCC.EXE
AVPM.EXE
AVWIN95.EXE
BLACKICE.EXE
CLAW95CF.EXE
CMGRDIAN.EXE
ECENGINE.EXE
ESAFE.EXE
F-PROT95.EXE
FINDVIRU.EXE
FP-WIN.EXE
FPROT.EXE
GUARDDOG.EXE
IAMAPP.EXE
IOMON98.EXE
KAVPF.EXE
LOOKOUT.EXE
NAVAPSVC.EXE
NAVAPW32.EXE
NAVNT.EXE
NAVW32.EXE
NAVWNT.EXE
NOD32.EXE
NSPLUGIN.EXE
OGRC.EXE
OUTPOST.EXE
OUTPOSTINSTALL.EXE
OUTPOSTPROINSTALL.EXE
RAV7.EXE
RULAUNCH.EXE
SCAN32.EXE
SPIDER.EXE
VET95.EXE
VETTRAY.EXE
VSMAIN.EXE
ZAPRO.EXE
ZAPSETUP3001.EXE
ZATUTOR.EXE
ZONALARM.EXE
ZONALM2601.EXE
ZONEALARM.EXE
Name Troj/Zlob-HQ
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Trojan-Downloader.Win32.Zlob.li
Prevalence (1-5) 2
Description
Troj/Zlob-HQ is a downloader Trojan for the Windows platform.
Troj/Zlob-HQ may be installed as part of a package pretending to be a
video
codec.
Advanced
Troj/Zlob-HQ is a downloader Trojan for the Windows platform.
Troj/Zlob-HQ may be installed as part of a package pretending to be a
video
codec to the Windows system folder
as a file named dfrgsrv.exe.
This file creates a randomly named DLL also in the system folder
which then
attempts to download further code.
The following registry entry may be set:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run
wininet.dll
dfrgsrv.exe
Name W32/Mytob-HH
Type
* Worm
How it spreads
* Email attachments
* Network shares
* Peer-to-peer
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Sends itself to email addresses found on the infected computer
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Prevalence (1-5) 2
Description
W32/Mytob-HH is a mass-mailing, network and peer-to-peer worm for the
Windows platforms. The worm also has an IRC backdoor component.
W32/Mytob-HH will harvest email addresses from the infected computer
and then mail itself to those addresses as an attachment with
extension ZIP.
W32/Mytob-HH also attempts to terminate a number of anti-virus and
security related applications.
Advanced
W32/Mytob-HH is a mass-mailing, network and peer-to-peer worm for the
Windows platforms. The worm also has an IRC backdoor component.
W32/Mytob-HH spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including: LSASS (MS04-011),
RPC-DCOM (MS04-012), WebDav (MS03-007), IIS5SSL (ms04-011)
(CAN-2003-0719), Dameware (CAN-2003-1030), MSSQL (MS02-039)
(CAN-2002-0649) and PNP (MS05-039)
W32/Mytob-HH copies itself to <System>\ISPSupport.exe as well as
various P2P shared folders using various filenames, eg:
\My Downloads\YahooMessenger_Loader.scr
<Program Files>\KaZaA\My Shared Folder\icq2006-final.bat
<Program Files>\eDonkey2000\Incoming\Angilina_Jolie_Sucks_a_Dick.scr
In order to run automatically when Windows starts up W32/Mytob-HH
creates the following registry entry:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ISPSystem
<System>\ISPSupport.exe
W32/Mytob-HH will harvest email addresses from the infected computer
and then mail itself to those addresses as an attachment with
extension ZIP.
W32/Mytob-HH also attempts to terminate a number of anti-virus and
security related applications.
--- MultiMail/Win32 v0.43
* Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)
|