Text 190, 1844 rader
Skriven 2006-05-21 11:24:00 av KURT WISMER (1:123/140)
Ärende: News, May 21 2006
=========================
[cut-n-paste from sophos.com]
Name Troj/Clicker-CM
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Trojan-Clicker.Win32.BHO.d
Prevalence (1-5) 2
Description
Troj/Clicker-CM is a Trojan for the Windows platform.
Advanced
Troj/Clicker-CM is a Trojan for the Windows platform.
When Troj/Clicker-CM is installed the following files are created:
<Temp>\temp.wsf
<Temp>\14125929733.tmp
<System>\IeHelperEx.dll
The files IeHelperEx.dll and 14125929733.tmp are also detected as
Troj/Clicker-CM.
The file IeHelperEx.dll is registered as a COM object and Browser
Helper Object (BHO) for Microsoft Internet Explorer, creating
registry entries under:
HKCR\CLSID\(673BA504-3DDA-4851-8B3C-37AE54E2D688)
HKCR\CLSID\(BA12780E-B91E-41A7-A51A-528CBD64284E)
HKCR\Interface\(57F88FBD-FFD2-4AF2-B138-CD644A8E62B5)
HKCR\Interface\(9EF3F6BA-1BF9-4B4E-9475-437A02DBFA8B)
HKCR\SpecSoft2.BrowserHook\
HKCR\SpecSoft2.BrowserHook.1\
HKCR\SpecSoft2.IExplorerHelper\
HKCR\SpecSoft2.IExplorerHelper.1\
HKCR\TypeLib\(B82C3D8C-F764-4B4E-8272-DC1185CE12FC)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects\(BA12780E-B91E-41A7-A51A-528CBD64284E)
Name W32/Kassbot-P
Type
* Worm
How it spreads
* Network shares
* Chat programs
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Downloads code from the internet
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Used in DOS attacks
Prevalence (1-5) 2
Description
W32/Kassbot-P is a worm and IRC backdoor Trojan for the Windows
platform.
Advanced
W32/Kassbot-P is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Kassbot-P runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Kassbot-P spreads to other network computers by:
- exploiting common buffer overflow vulnerabilities, including: LSASS
(MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812), PNP
(MS05-039) and ASN.1 (MS04-007)
- copying itself to network shares protected by weak passwords
- via AOL Instant Messenger
W32/Kassbot-P includes functionality to:
- perform DDoS attacks
- terminates security and anti-virus related processes
- downloads code from the internet
- perform port scanning
When first run W32/Kassbot-P copies itself to <Windows>\win32dll.exe.
The file win32dll.exe is registered as a new system driver service
named "winconfig.exe", with a display name of "winconfig.exe" and a
startup type of automatic, so that it is started automatically during
system startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\winconfig.exe\
W32/Kassbot-P sets the following registry entries, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4
Registry entries are set as follows:
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
Registry entries are created under:
HKLM\SOFTWARE\Microsoft\Security Center\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\
Name Troj/Agent-BMT
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Drops more malware
* Downloads code from the internet
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/Agent-BMT is a Trojan for the Windows platform.
Advanced
Troj/Agent-BMT is a Trojan for the Windows platform.
When Troj/Agent-BMT is installed the following files are created:
<Windows>\qkjyt7dx.dll
<System>\vook.sys - detected by Sophos as Troj/NTRootK-AC.
The file vook.sys is registered as a new system driver service named
"squell",
with a display name of "squell". Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\squell\
Name Troj/Dwnldr-BVS
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Aliases
* Trojan-Dropper.Win32.Small.rn
* Win32/TrojanDropper.Small.RN
Prevalence (1-5) 2
Description
Troj/Dwnldr-BVS is a downloader Trojan for the Windows platform.
Advanced
Troj/Dwnldr-BVS is a downloader Trojan for the Windows platform.
When Troj/Dwnldr-BVS is installed it creates the file <Program
Files>\hpdll\hpdll.exe.
Name Troj/Mlsuc-C
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/Mlsuc-C is a backdoor Trojan for the Windows platform.
Troj/Mlsuc-C includes functionality to send notification messages to
remote locations.
Troj/Mlsuc-C provides unauthorized remote access to the infected
computer with the following services:
delete files from infected computer
reboot computer
run files on infected computer
terminate running processes on infected computer
transfer files to and from infected computer
Advanced
Troj/Mlsuc-C is a backdoor Trojan for the Windows platform.
Troj/Mlsuc-C includes functionality to send notification messages to
remote locations.
Troj/Mlsuc-C provides unauthorized remote access to the infected
computer with the following services:
delete files from infected computer
reboot computer
run files on infected computer
terminate running processes on infected computer
transfer files to and from infected computer
When Troj/Mlsuc-C is installed the following files may be created:
<Windows system folder>\delself.bat
<Windows system folder>\res.dat
<Windows system folder>\res.tmp
<Windows system folder>\phde32.sys
where phde32.sys is installed as an NT kernel driver that has the
capability to hide processes and to steal system information.
Name Troj/Banloa-ACM
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Trojan-Downloader.Win32.Banload.ahv
Prevalence (1-5) 2
Description
Troj/Banloa-ACM is a backdoor Trojan which allows a remote intruder
to gain access and control over the computer.
Advanced
Troj/Banloa-ACM is a backdoor Trojan which allows a remote intruder
to gain access and control over the computer.
Troj/Banloa-ACM includes functionality to access the internet and
communicate with a remote server via HTTP.
When run Troj/Banloa-ACM attempts to store the downloaded file to
<System>\Isass.scr and run it.
Name Troj/WowPWS-H
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
Prevalence (1-5) 2
Description
Troj/WowPWS-H is a password stealing Trojan for the Windows platform.
Troj/WowPWS-H targets the online game World of Warcraft.
Advanced
Troj/WowPWS-H is a password stealing Trojan for the Windows platform.
Troj/WowPWS-H targets the online game World of Warcraft.
When first run Troj/WowPWS-H copies itself to <Windows>\lsass.exe.
Name W32/Bagle-JJ
Type
* Spyware Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Sends itself to email addresses found on the infected computer
* Steals information
* Uses its own emailing engine
Prevalence (1-5) 2
Description
W32/Bagle-JJ is an email worm for the Windows platform.
The worm harvests email addresses from files on the infected computer.
The worm connects to a remote server in order to download additional
configuration data.
Advanced
W32/Bagle-JJ is an email worm for the Windows platform.
The worm harvests email addresses from files on the infected computer
with the following file extensions:
ADB ASP CFG CGI DBX DHTM EML HTM JSP MBX MDX MHT MMF MSG NCH ODS OFT
PHP PL SHT SHTM STM TBB TXT UIN WAB WSH XLS XML
W32/Bagle-JJ avoids sending emails to addresses containing any of the
following:
@.
.@
..
@avp.
@foo
@iana
@messagelab
abuse
admin
anyone@
bsd
bugs@
cafee
certific
contract@
f-secur
feste
free-av
gold-certs@
google
help@
icrosoft
info@
kasp
linux
listserv
local
news
nobody@
noone@
noreply
ntivi
panda
pgp
postmaster@
rating@
root@
samples
sopho
spam
support
unix
update
winrar
winzip
Email sent by W32/Bagle-JJ may contain attachments having the
following filenames with the ZIP file extension:
guupd02
Jol03
siupd02
upd02
viupd02
wsd01
zupd02
The worm connects to a remote server in order to download additional
configuration data.
Name W32/Brontok-AQ
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Sends itself to email addresses found on the infected computer
* Modifies data on the computer
* Deletes files off the computer
* Forges the sender's email address
* Uses its own emailing engine
* Installs itself in the Registry
* Leaves non-infected files on computer
Aliases
* Win32/Pazetus.D
* Email-Worm.Win32.Brontok.n
* WORM_RONTKBR.GEN
Prevalence (1-5) 2
Description
W32/Brontok-AQ is a mass-mailing worm for the Windows platform.
W32/Brontok-AQ sends itself to email addresses found on the infected
computer.
Emails sent by the worm have the following characteristics:
From:
dewi_21@cbn.net.id
ratna_19@rad.net.id
claudia_21@aol.com
angelina_19@attglobal.net
If the recipient's address is Indonesian:
Subject: Fotoku yg Paling Cantik
Message text:
Hi,
Aku lg iseng aja pengen kirim foto ke kamu
Jangan lupain aku ya !.
Thanks
For all other addresses:
Subject: My Best Photo
Message text:
Hi,
I want to share my photo with you.
Wishing you all the best.
Regards,
Attachment name: Photo.zip
The zip file contains Photo.bmp and View-Photo.bat. View-Photo.bat
runs Photo.bmp.
Photo.bmp is an executable (currently detected as Troj/DwnLdr-BWB)
which attempts to download and execute a copy of the worm from a
preconfigured website. At the time of writing, this website is
unavailable.
Advanced
W32/Brontok-AQ is a mass-mailing worm for the Windows platform.
W32/Brontok-AQ sends itself to email addresses found on the infected
computer.
Emails sent by the worm have the following characteristics:
From:
dewi_21@cbn.net.id
ratna_19@rad.net.id
claudia_21@aol.com
angelina_19@attglobal.net
If the recipient's address is Indonesian:
Subject: Fotoku yg Paling Cantik
Message text:
Hi,
Aku lg iseng aja pengen kirim foto ke kamu
Jangan lupain aku ya !.
Thanks
For all other addresses:
Subject: My Best Photo
Message text:
Hi,
I want to share my photo with you.
Wishing you all the best.
Regards,
Attachment name: Photo.zip
The zip file contains Photo.bmp and View-Photo.bat. View-Photo.bat
runs Photo.bmp.
Photo.bmp is an executable (currently detected as Troj/DwnLdr-BWB)
which attempts to download and execute a copy of the worm from a
preconfigured website. At the time of writing, this website is
unavailable.
W32/Brontok-AQ closes windows whose titles contain any of the
following:
wintask
folder option
trojan
windows script
commander
pc-media
killer
ertanto
CLEANER
REMOVER
PROCESS EXP
SYSINTERNAL
killbox
scheduled task
computer management
cmd.exe
group policy
system configuration
command prompt
registry
baca bro !!!
task manager
When first run W32/Brontok-AQ copies itself to:
<User>\Local Settings\Application Data\dv<random>\yesbron.com
<User>\Local Settings\Application Data\jalak<random>.com
<Windows>\_default<random>.pif
<Windows>\j<random>.exe
<Windows>\o<random>.exe
<Windows>\sa<random>\ib<random>.exe
<System>\c<random>.com
<System>\n<random>\b<random>.exe
<System>\n<random>\csrss.exe
<System>\n<random>\lsass.exe
<System>\n<random>\services.exe
<System>\n<random>\smss.exe
<System>\n<random>\sv<random>.exe
<System>\n<random>\winlogon.exe
where <random> is a sequence of randomly generated numbers.
and creates the following files:
Baca Bro !!!.txt
<Windows>\Tasks\At1.job
<Windows>\Tasks\At2.job
<System>\n5817\c.bron.tok.txt
These files can be deleted.
The .job files each contain a scheduled task, instructing Windows to
execute the installed copies of the worm once per day.
W32/Brontok-AQ may install a new version of the file
<System>\msvbvm60.dll.
The following registry entries are created to run yesbron.com,
_default<random>.pif, j<random>.exe and sv<random>.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run
<random characters>
<User>\Local Settings\Application Data\dv<random>\yesbron.com
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run
<random characters>
<Windows>\_default<random>.pif
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
<random characters>
<System>\n<random>\sv<random>.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
<random characters>
<Windows>\j<random>.exe
The following registry entries are changed to run j<random>.exe and
o<random>.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe "<Windows>\o<random>.exe"
(the default value for this registry entry is "Explorer.exe" which
causes the Microsoft file <Windows>\Explorer.exe to be run on startup).
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System>\userinit.exe,<Windows>\j<random>.exe
(the default value for this registry entry is
"<Windows>\System32\userinit.exe,").
The following registry entry is set, disabling the registry editor
(regedit):
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
Registry entries are set as follows:
HKCU\Software\Brontok
Message
Look @ "C:\Baca Bro !!!.txt"
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0
Registry entries are created under:
HKCU\Software\Brontok\
W32/Brontok-AQ also overwrites the HOSTS file with the following
mappings:
127.0.0.21 mcafee.com
127.0.0.21 www.mcafee.com
127.0.0.21 mcafee.net
127.0.0.21 www.mcafee.net
127.0.0.21 mcafee.org
127.0.0.21 www.mcafee.org
127.0.0.21 mcafeesecurity.com
127.0.0.21 www.mcafeesecurity.com
127.0.0.21 mcafeesecurity.net
127.0.0.21 www.mcafeesecurity.net
127.0.0.21 mcafeesecurity.org
127.0.0.21 www.mcafeesecurity.org
127.0.0.21 mcafeeb2b.com
127.0.0.21 www.mcafeeb2b.com
127.0.0.21 mcafeeb2b.net
127.0.0.21 www.mcafeeb2b.net
127.0.0.21 mcafeeb2b.org
127.0.0.21 www.mcafeeb2b.org
127.0.0.21 nai.com
127.0.0.21 www.nai.com
127.0.0.21 nai.net
127.0.0.21 www.nai.net
127.0.0.21 nai.org
127.0.0.21 www.nai.org
127.0.0.21 vil.nai.com
127.0.0.21 www.vil.nai.com
127.0.0.21 vil.nai.net
127.0.0.21 www.vil.nai.net
127.0.0.21 vil.nai.org
127.0.0.21 www.vil.nai.org
127.0.0.21 grisoft.com
127.0.0.21 www.grisoft.com
127.0.0.21 grisoft.net
127.0.0.21 www.grisoft.net
127.0.0.21 grisoft.org
127.0.0.21 www.grisoft.org
127.0.0.21 kaspersky-labs.com
127.0.0.21 www.kaspersky-labs.com
127.0.0.21 kaspersky-labs.net
127.0.0.21 www.kaspersky-labs.net
127.0.0.21 kaspersky-labs.org
127.0.0.21 www.kaspersky-labs.org
127.0.0.21 kaspersky.com
127.0.0.21 www.kaspersky.com
127.0.0.21 kaspersky.net
127.0.0.21 www.kaspersky.net
127.0.0.21 kaspersky.org
127.0.0.21 www.kaspersky.org
127.0.0.21 downloads1.kaspersky-labs.com
127.0.0.21 www.downloads1.kaspersky-labs.com
127.0.0.21 downloads1.kaspersky-labs.net
127.0.0.21 www.downloads1.kaspersky-labs.net
127.0.0.21 downloads1.kaspersky-labs.org
127.0.0.21 www.downloads1.kaspersky-labs.org
127.0.0.21 downloads2.kaspersky-labs.com
127.0.0.21 www.downloads2.kaspersky-labs.com
127.0.0.21 downloads2.kaspersky-labs.net
127.0.0.21 www.downloads2.kaspersky-labs.net
127.0.0.21 downloads2.kaspersky-labs.org
127.0.0.21 www.downloads2.kaspersky-labs.org
127.0.0.21 downloads3.kaspersky-labs.com
127.0.0.21 www.downloads3.kaspersky-labs.com
127.0.0.21 downloads3.kaspersky-labs.net
127.0.0.21 www.downloads3.kaspersky-labs.net
127.0.0.21 downloads3.kaspersky-labs.org
127.0.0.21 www.downloads3.kaspersky-labs.org
127.0.0.21 downloads4.kaspersky-labs.com
127.0.0.21 www.downloads4.kaspersky-labs.com
127.0.0.21 downloads4.kaspersky-labs.net
127.0.0.21 www.downloads4.kaspersky-labs.net
127.0.0.21 downloads4.kaspersky-labs.org
127.0.0.21 www.downloads4.kaspersky-labs.org
127.0.0.21 download.mcafee.com
127.0.0.21 www.download.mcafee.com
127.0.0.21 download.mcafee.net
127.0.0.21 www.download.mcafee.net
127.0.0.21 download.mcafee.org
127.0.0.21 www.download.mcafee.org
127.0.0.21 norton.com
127.0.0.21 www.norton.com
127.0.0.21 norton.net
127.0.0.21 www.norton.net
127.0.0.21 norton.org
127.0.0.21 www.norton.org
127.0.0.21 symantec.com
127.0.0.21 www.symantec.com
127.0.0.21 symantec.net
127.0.0.21 www.symantec.net
127.0.0.21 symantec.org
127.0.0.21 www.symantec.org
127.0.0.21 liveupdate.symantecliveupdate.com
127.0.0.21 www.liveupdate.symantecliveupdate.com
127.0.0.21 liveupdate.symantecliveupdate.net
127.0.0.21 www.liveupdate.symantecliveupdate.net
127.0.0.21 liveupdate.symantecliveupdate.org
127.0.0.21 www.liveupdate.symantecliveupdate.org
127.0.0.21 liveupdate.symantec.com
127.0.0.21 www.liveupdate.symantec.com
127.0.0.21 liveupdate.symantec.net
127.0.0.21 www.liveupdate.symantec.net
127.0.0.21 liveupdate.symantec.org
127.0.0.21 www.liveupdate.symantec.org
127.0.0.21 update.symantec.com
127.0.0.21 www.update.symantec.com
127.0.0.21 update.symantec.net
127.0.0.21 www.update.symantec.net
127.0.0.21 update.symantec.org
127.0.0.21 www.update.symantec.org
127.0.0.21 securityresponse.symantec.com
127.0.0.21 www.securityresponse.symantec.com
127.0.0.21 securityresponse.symantec.net
127.0.0.21 www.securityresponse.symantec.net
127.0.0.21 securityresponse.symantec.org
127.0.0.21 www.securityresponse.symantec.org
127.0.0.21 sarc.com
127.0.0.21 www.sarc.com
127.0.0.21 sarc.net
127.0.0.21 www.sarc.net
127.0.0.21 sarc.org
127.0.0.21 www.sarc.org
127.0.0.21 vaksin.com
127.0.0.21 www.vaksin.com
127.0.0.21 vaksin.net
127.0.0.21 www.vaksin.net
127.0.0.21 vaksin.org
127.0.0.21 www.vaksin.org
127.0.0.21 forum.vaksin.com
127.0.0.21 www.forum.vaksin.com
127.0.0.21 forum.vaksin.net
127.0.0.21 www.forum.vaksin.net
127.0.0.21 forum.vaksin.org
127.0.0.21 www.forum.vaksin.org
127.0.0.21 norman.com
127.0.0.21 www.norman.com
127.0.0.21 norman.net
127.0.0.21 www.norman.net
127.0.0.21 norman.org
127.0.0.21 www.norman.org
127.0.0.21 trendmicro.com
127.0.0.21 www.trendmicro.com
127.0.0.21 trendmicro.net
127.0.0.21 www.trendmicro.net
127.0.0.21 trendmicro.org
127.0.0.21 www.trendmicro.org
127.0.0.21 trendmicro-europe.com
127.0.0.21 www.trendmicro-europe.com
127.0.0.21 trendmicro-europe.net
127.0.0.21 www.trendmicro-europe.net
127.0.0.21 trendmicro-europe.org
127.0.0.21 www.trendmicro-europe.org
127.0.0.21 ae.trendmicro-europe.com
127.0.0.21 www.ae.trendmicro-europe.com
127.0.0.21 ae.trendmicro-europe.net
127.0.0.21 www.ae.trendmicro-europe.net
127.0.0.21 ae.trendmicro-europe.org
127.0.0.21 www.ae.trendmicro-europe.org
127.0.0.21 it.trendmicro-europe.com
127.0.0.21 www.it.trendmicro-europe.com
127.0.0.21 it.trendmicro-europe.net
127.0.0.21 www.it.trendmicro-europe.net
127.0.0.21 it.trendmicro-europe.org
127.0.0.21 www.it.trendmicro-europe.org
127.0.0.21 secunia.com
127.0.0.21 www.secunia.com
127.0.0.21 secunia.net
127.0.0.21 www.secunia.net
127.0.0.21 secunia.org
127.0.0.21 www.secunia.org
127.0.0.21 winantivirus.com
127.0.0.21 www.winantivirus.com
127.0.0.21 winantivirus.net
127.0.0.21 www.winantivirus.net
127.0.0.21 winantivirus.org
127.0.0.21 www.winantivirus.org
127.0.0.21 pandasoftware.com
127.0.0.21 www.pandasoftware.com
127.0.0.21 pandasoftware.net
127.0.0.21 www.pandasoftware.net
127.0.0.21 pandasoftware.org
127.0.0.21 www.pandasoftware.org
127.0.0.21 esafe.com
127.0.0.21 www.esafe.com
127.0.0.21 esafe.net
127.0.0.21 www.esafe.net
127.0.0.21 esafe.org
127.0.0.21 www.esafe.org
127.0.0.21 f-secure.com
127.0.0.21 www.f-secure.com
127.0.0.21 f-secure.net
127.0.0.21 www.f-secure.net
127.0.0.21 f-secure.org
127.0.0.21 www.f-secure.org
127.0.0.21 europe.f-secure.com
127.0.0.21 www.europe.f-secure.com
127.0.0.21 europe.f-secure.net
127.0.0.21 www.europe.f-secure.net
127.0.0.21 europe.f-secure.org
127.0.0.21 www.europe.f-secure.org
127.0.0.21 bhs.com
127.0.0.21 www.bhs.com
127.0.0.21 bhs.net
127.0.0.21 www.bhs.net
127.0.0.21 bhs.org
127.0.0.21 www.bhs.org
127.0.0.21 datafellows.com
127.0.0.21 www.datafellows.com
127.0.0.21 datafellows.net
127.0.0.21 www.datafellows.net
127.0.0.21 datafellows.org
127.0.0.21 www.datafellows.org
127.0.0.21 cheyenne.com
127.0.0.21 www.cheyenne.com
127.0.0.21 cheyenne.net
127.0.0.21 www.cheyenne.net
127.0.0.21 cheyenne.org
127.0.0.21 www.cheyenne.org
127.0.0.21 ontrack.com
127.0.0.21 www.ontrack.com
127.0.0.21 ontrack.net
127.0.0.21 www.ontrack.net
127.0.0.21 ontrack.org
127.0.0.21 www.ontrack.org
127.0.0.21 sands.com
127.0.0.21 www.sands.com
127.0.0.21 sands.net
127.0.0.21 www.sands.net
127.0.0.21 sands.org
127.0.0.21 www.sands.org
127.0.0.21 sophos.com
127.0.0.21 www.sophos.com
127.0.0.21 sophos.net
127.0.0.21 www.sophos.net
127.0.0.21 sophos.org
127.0.0.21 www.sophos.org
127.0.0.21 icubed.com
127.0.0.21 www.icubed.com
127.0.0.21 icubed.net
127.0.0.21 www.icubed.net
127.0.0.21 icubed.org
127.0.0.21 www.icubed.org
127.0.0.21 perantivirus.com
127.0.0.21 www.perantivirus.com
127.0.0.21 perantivirus.net
127.0.0.21 www.perantivirus.net
127.0.0.21 perantivirus.org
127.0.0.21 www.perantivirus.org
127.0.0.21 castlecops.com
127.0.0.21 www.castlecops.com
127.0.0.21 castlecops.net
127.0.0.21 www.castlecops.net
127.0.0.21 castlecops.org
127.0.0.21 www.castlecops.org
127.0.0.21 virustotal.com
127.0.0.21 www.virustotal.com
127.0.0.21 virustotal.net
127.0.0.21 www.virustotal.net
127.0.0.21 virustotal.org
127.0.0.21 www.virustotal.org
127.0.0.21 free-av.com
127.0.0.21 www.free-av.com
127.0.0.21 free-av.net
127.0.0.21 www.free-av.net
127.0.0.21 free-av.org
127.0.0.21 www.free-av.org
127.0.0.21 antivirus.com
127.0.0.21 www.antivirus.com
127.0.0.21 antivirus.net
127.0.0.21 www.antivirus.net
127.0.0.21 antivirus.org
127.0.0.21 www.antivirus.org
127.0.0.21 anti-virus.com
127.0.0.21 www.anti-virus.com
127.0.0.21 anti-virus.net
127.0.0.21 www.anti-virus.net
127.0.0.21 anti-virus.org
127.0.0.21 www.anti-virus.org
127.0.0.21 ca.com
127.0.0.21 www.ca.com
127.0.0.21 ca.net
127.0.0.21 www.ca.net
127.0.0.21 ca.org
127.0.0.21 www.ca.org
127.0.0.21 fajarweb.com
127.0.0.21 www.fajarweb.com
127.0.0.21 fajarweb.net
127.0.0.21 www.fajarweb.net
127.0.0.21 fajarweb.org
127.0.0.21 www.fajarweb.org
127.0.0.21 jasakom.com
127.0.0.21 www.jasakom.com
127.0.0.21 jasakom.net
127.0.0.21 www.jasakom.net
127.0.0.21 jasakom.org
127.0.0.21 www.jasakom.org
127.0.0.21 backup.grisoft.com
127.0.0.21 www.backup.grisoft.com
127.0.0.21 backup.grisoft.net
127.0.0.21 www.backup.grisoft.net
127.0.0.21 backup.grisoft.org
127.0.0.21 www.backup.grisoft.org
127.0.0.21 infokomputer.com
127.0.0.21 www.infokomputer.com
127.0.0.21 infokomputer.net
127.0.0.21 www.infokomputer.net
127.0.0.21 infokomputer.org
127.0.0.21 www.infokomputer.org
127.0.0.21 playboy.com
127.0.0.21 www.playboy.com
127.0.0.21 playboy.net
127.0.0.21 www.playboy.net
127.0.0.21 playboy.org
127.0.0.21 www.playboy.org
127.0.0.21 sex-mission.com
127.0.0.21 www.sex-mission.com
127.0.0.21 sex-mission.net
127.0.0.21 www.sex-mission.net
127.0.0.21 sex-mission.org
127.0.0.21 www.sex-mission.org
127.0.0.21 pornstargals.com
127.0.0.21 www.pornstargals.com
127.0.0.21 pornstargals.net
127.0.0.21 www.pornstargals.net
127.0.0.21 pornstargals.org
127.0.0.21 www.pornstargals.org
127.0.0.21 kaskus.com
127.0.0.21 www.kaskus.com
127.0.0.21 kaskus.net
127.0.0.21 www.kaskus.net
127.0.0.21 kaskus.org
127.0.0.21 www.kaskus.org
127.0.0.21 17tahun.com
127.0.0.21 www.17tahun.com
127.0.0.21 17tahun.net
127.0.0.21 www.17tahun.net
127.0.0.21 17tahun.org
127.0.0.21 www.17tahun.org
127.0.0.21 padinet.com
127.0.0.21 www.padinet.com
127.0.0.21 padinet.net
127.0.0.21 www.padinet.net
127.0.0.21 padinet.org
127.0.0.21 www.padinet.org
127.0.0.21 jeruk.padinet.com
127.0.0.21 www.jeruk.padinet.com
127.0.0.21 jeruk.padinet.net
127.0.0.21 www.jeruk.padinet.net
127.0.0.21 jeruk.padinet.org
127.0.0.21 www.jeruk.padinet.org
127.0.0.21 compactbyte.com
127.0.0.21 www.compactbyte.com
127.0.0.21 compactbyte.net
127.0.0.21 www.compactbyte.net
127.0.0.21 compactbyte.org
127.0.0.21 www.compactbyte.org
127.0.0.21 blog.compactbyte.com
127.0.0.21 www.blog.compactbyte.com
127.0.0.21 blog.compactbyte.net
127.0.0.21 www.blog.compactbyte.net
127.0.0.21 blog.compactbyte.org
127.0.0.21 www.blog.compactbyte.org
127.0.0.21 blogs.compactbyte.com
127.0.0.21 www.blogs.compactbyte.com
127.0.0.21 blogs.compactbyte.net
127.0.0.21 www.blogs.compactbyte.net
127.0.0.21 blogs.compactbyte.org
127.0.0.21 www.blogs.compactbyte.org
Name Troj/Cimuz-AI
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
* Installs itself in the Registry
Aliases
* Trojan-Spy.Win32.Agent.eo
* Spy-Agent.ak
Prevalence (1-5) 2
Description
Troj/Cimuz-AI is a Trojan for the Windows platform.
Troj/Cimuz-AI includes functionality to access the internet and
communicate with a remote server via HTTP. The Trojan opens a
backdoor and connects to several remote sites to report the
availability of the infected computer and the port on which attackers
can connect.
Troj/Cimuz-AI may also steal information such as email account
usernames and passwords.
Advanced
Troj/Cimuz-AI is a Trojan for the Windows platform.
Troj/Cimuz-AI includes functionality to access the internet and
communicate with a remote server via HTTP. The Trojan opens a
backdoor and connects to several remote sites to report the
availability of the infected computer and the port on which attackers
can connect.
Troj/Cimuz-AI may also steal information such as email account
usernames and passwords.
When Troj/Cimuz-AI is installed it creates the file \ipv4mons.dll.
The file ipv4mons.dll is registered as a COM object and Browser
Helper Object (BHO) for Microsoft Internet Explorer, creating
registry entries under:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects\(78364D99-A240-4dff-B11A-67E448373045)
HKCR\CLSID\(78364D99-A240-4dff-B11A-67E448373045)
The following registry entry is set, affecting internet security:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Firewall
Policy\StandardProfile\AuthorizedApplications\List\\Internet Explorer
IEXPLORE.EXE
<Program Files>\Internet Explorer\IEXPLORE.EXE:*:Enabled:Internet
Explorer
The following registry entry is set:
HKCU\Software\Microsoft\Internet Explorer\Main
Enable Browser Extensions
yes
Name Troj/Zlob-JU
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
Aliases
* Win32/TrojanDownloader.Zlob.NW
Prevalence (1-5) 2
Description
Troj/Zlob-JU is a Trojan for the Windows platform.
Advanced
Troj/Zlob-JU is a Trojan for the Windows platform.
When Troj/Zlob-JU is installed the following files are created:
<Windows system folder>\simpole.tlb
<Windows system folder>\stdole3.tlb
<Windows system folder>\hp<rnd>.tmp
where <rnd> is a string of random characters.
These files are also detected as Troj/Zlob-JU.
The file hp<rnd>.tmp is registered as a COM object and Browser Helper
Object (BHO) for Microsoft Internet Explorer, creating registry
entries under:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects\({0398eca-0bcd-4645-8261-5e9dc70248d0}
HKCR\CLSID\{B0398ECA-0BCD-4645-8261-5E9DC70248D0}
Troj/Zlob-JU changes Start Page and search settings for Microsoft
Internet Explorer by modifying values under:
HKCU\Software\Microsoft\Internet Explorer\Search\
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
Registry entries may be set under:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objecta\{b0398eca-0bcd-4645-8261-5e9dc70248d0}
Name Troj/Agent-BMV
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Drops more malware
Aliases
* Trojan-Dropper.Win32.Agent.aie
* TROJ_DROPPER.UF
Prevalence (1-5) 2
Description
Troj/Agent-BMV is a Trojan installer for the Windows platform.
Advanced
Troj/Agent-BMV is a Trojan installer for the Windows platform.
When Troj/Agent-BMV is installed the following files are created:
<Windows>\<random name>.exe (detected as Troj/DwnLdr-EFH)
<Windows>\<random name>A.exe (detected as Troj/DwnLdr-EFH)
<Windows>\jptc.dat
<Windows>\offun.exe (detected as Troj/DwnLdr-ACV)
<Windows>\pf78.exe (detected as Troj/Agent-BQS)
<Windows>\pf79.exe
jptc.dat is a harmless data file.
Pf79.exe is a potentially unwanted application.
Name Troj/Mdrop-AMA
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Drops more malware
* Downloads code from the internet
Aliases
* Trojan-Dropper.Win32.Agent.hl
Prevalence (1-5) 2
Description
Troj/Mdrop-AMA is a multidropper Trojan for the Windows platform.
Advanced
Troj/Mdrop-AMA is a multidropper Trojan for the Windows platform.
When Troj/Mdrop-AMA is installed the following files are created:
<Temp>\mc-110-12-0000118.exe - detected as App/Maxif-Dlr
<Common Files>\Download\mc-110-12-0000118.exe - detected as
App/Maxif-Dlr
<System>\explorer.exe - detected as Troj/Adload-BN
Name W32/Tilebot-EU
Type
* Spyware Worm
How it spreads
* Network shares
* Chat programs
Affected operating systems
* Windows
Side effects
* Steals information
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Used in DOS attacks
Aliases
* Backdoor.Win32.SdBot.aad
* W32.Spybot.Worm
Prevalence (1-5) 2
Description
W32/Tilebot-EU is a worm with IRC backdoor functionality for the
Windows platform.
W32/Tilebot-EU spreads to other network computers by exploiting
common buffer overflow vulnerabilities, including: LSASS
(http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx),
RPC-DCOM
(http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx),
WKS
(http://www.microsoft.com/technet/security/bulletin/ms03-049.mspx)
(CAN-2003-0812), PNP
(http://www.microsoft.com/technet/security/bulletin/ms05-039.mspx)
and ASN.1
(http://www.microsoft.com/technet/security/bulletin/ms04-007.mspx)
and by copying itself to network shares protected by weak passwords.
W32/Tilebot-EU runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Tilebot-EU includes functionality to:
set up an FTP server
set up a proxy server
spread via AOL Instant Messager by sending messages automatically
set or remove network shares
port scanning
packet sniffing
access the internet and communicate with a remote server via HTTP
harvest information from clipboard
take part in Distributed Denial of Service (DDoS) attacks
The following patches for operating system vulnerabilities exploited
by W32/Tilebot-EU are available from Microsoft:
http://www.microsoft.com/technet/security/bulletin/ms03-049.mspx
http://www.microsoft.com/technet/security/bulletin/ms04-007.mspx
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx
http://www.microsoft.com/technet/security/bulletin/ms05-039.mspx
Advanced
W32/Tilebot-EU is a worm with IRC backdoor functionality for the
Windows platform.
W32/Tilebot-EU spreads to other network computers by exploiting
common buffer overflow vulnerabilities, including: LSASS
(http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx),
RPC-DCOM
(http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx),
WKS
(http://www.microsoft.com/technet/security/bulletin/ms03-049.mspx)
(CAN-2003-0812), PNP
(http://www.microsoft.com/technet/security/bulletin/ms05-039.mspx)
and ASN.1
(http://www.microsoft.com/technet/security/bulletin/ms04-007.mspx)
and by copying itself to network shares protected by weak passwords.
W32/Tilebot-EU runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Tilebot-EU includes functionality to:
set up an FTP server
set up a proxy server
spread via AOL Instant Messager by sending messages automatically
set or remove network shares
port scanning
packet sniffing
access the internet and communicate with a remote server via HTTP
harvest information from clipboard
take part in Distributed Denial of Service (DDoS) attacks
When first run W32/Tilebot-EU copies itself to <Windows
folder>\alg.exe.
The file alg.exe is registered as a new system driver service named
"AppLayerGatewayMgr", with a display name of "Application Layer
Gateway Manager" and a startup type of automatic, so that it is
started automatically during system startup. Registry entries are
created under:
HKLM\SYSTEM\CurrentControlSet\Services\AppLayerGatewayMgr\
W32/Tilebot-EU sets the following registry entries, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
Start
4
Additional registry entries are set as follows:
HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusDisableNotify
1
HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusOverride
1
HKLM\SOFTWARE\Microsoft\Security Center
FirewallDisableNotify
1
HKLM\SOFTWARE\Microsoft\Security Center
FirewallOverride
1
HKLM\SOFTWARE\Microsoft\Security Center
UpdatesDisableNotify
1
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall
0
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall
0
HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareServer
0
HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareWks
0
HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
AutoShareServer
0
HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
AutoShareWks
0
HKLM\SYSTEM\CurrentControlSet\Control\
WaitToKillServiceTimeout
7000
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
The following patches for operating system vulnerabilities exploited
by W32/Tilebot-EU are available from Microsoft:
http://www.microsoft.com/technet/security/bulletin/ms03-049.mspx
http://www.microsoft.com/technet/security/bulletin/ms04-007.mspx
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx
http://www.microsoft.com/technet/security/bulletin/ms05-039.mspx
Name W32/Dbit-B
Type
* Virus
How it spreads
* Infected files
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Deletes files off the computer
* Steals information
* Records keystrokes
* Installs itself in the Registry
Aliases
* Trojan.Win32.Dbit.d
* Infostealer
* TROJ_PWSTEAL.AE
Prevalence (1-5) 2
Description
W32/Dbit-B is a virus and backdoor Trojan for the Windows platform.
W32/Dbit-B attempts to infect EXE files. W32/Dbit-B allows
unauthorized remote access to the infected computer.
W32/Dbit-B will attempt to connect to predefined URLs in order to
report infection and download files. The virus may also act as a
backdoor allowing the following actions to be performed by a remote
user on the infected system:
Create folder
Delete files
Execute files
Rename files
Act as a proxy server
Log keypresses
Steal passwords
W32/Dbit-B will also attempt to collect information about the
infected system and report it to a predefined URL. The information
collected includes:
Username
Running processes
IP related information
Available drives
W32/Dbit-B also contains a stealthing component in order to make
itself invisible to the user.
Advanced
W32/Dbit-B is a virus and backdoor Trojan for the Windows platform.
W32/Dbit-B attempts to infect EXE files. W32/Dbit-B allows
unauthorized remote access to the infected computer.
W32/Dbit-B will attempt to connect to predefined URLs in order to
report infection and download files. The virus may also act as a
backdoor allowing the following actions to be performed by a remote
user on the infected system:
Create folder
Delete files
Execute files
Rename files
Act as a proxy server
Log keypresses
Steal passwords
W32/Dbit-B will also attempt to collect information about the
infected system and report it to a predefined URL. The information
collected includes:
Username
Running processes
IP related information
Available drives
W32/Dbit-B also contains a stealthing component in order to make
itself invisible to the user.
When W32/Dbit-B is installed it creates the file <System>\msjet62.dll.
The file msjet62.dll is registered as a new system driver service
named "Irmon", with a display name of "Portable Media Serial Number
Service" and a startup type of automatic, so that it is started
automatically during system startup. Registry entries are created
under:
HKLM\SYSTEM\CurrentControlSet\Services\Irmon\
W32/Dbit-B will attempt to remove processes and services associated
with the following files:
ethereal.exe
aports.exe
tcpview
windump.exe
iris.exe
CV.exe
sniffer.exe
iexplore.exe
outlook.exe
icq.exe
msimn.exe
msmsgs.exe
msnmsgr.exe
qq.exe
endoscope.EXE
icqlite.exe
foxmail.exe
Name Troj/Tibs-AR
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Drops more malware
* Downloads code from the internet
* Installs itself in the Registry
* Leaves non-infected files on computer
Aliases
* Packed.Win32.Tibs
Prevalence (1-5) 2
Description
Troj/Tibs-AR is a Trojan for the Windows platform.
Troj/Tibs-AR includes functionality to access the internet and
communicate with a remote server via HTTP to download and install
software.
Advanced
Troj/Tibs-AR is a Trojan for the Windows platform.
Troj/Tibs-AR includes functionality to access the internet and
communicate with a remote server via HTTP to download and install
software.
When first run Troj/Tibs-AR copies itself to <System>\taskdir.exe and
creates the following files:
<System>\taskdir.dll
<System>\zlbw.dll
where file taskdir.dll is detected as Troj/HideDl-A. and zlbw.dll is
a clean compression library.
The following registry entry is created to run taskdir.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
taskdir
<System>\taskdir.exe
Name W32/Tilebot-EW
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Win32.SdBot.xd
* WORM_SDBOT.ARX
Prevalence (1-5) 2
Description
W32/Tilebot-EW is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Tilebot-EW spreads to other network computers by exploiting
common buffer overflow vulnerabilities, including: LSASS (MS04-011),
RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812), PNP (MS05-039)
and ASN.1 (MS04-007) and by copying itself to network shares
protected by weak passwords.
W32/Tilebot-EW runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
Advanced
W32/Tilebot-EW is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Tilebot-EW spreads to other network computers by exploiting
common buffer overflow vulnerabilities, including: LSASS (MS04-011),
RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812), PNP (MS05-039)
and ASN.1 (MS04-007) and by copying itself to network shares
protected by weak passwords.
W32/Tilebot-EW runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
When first run W32/Tilebot-EW copies itself to <Windows
folder>\winfix32.exe.
The file winfix32.exe is registered as a new system driver service
named "Windows Fix Services", with a display name of "Windows Fix
Services" and a startup type of automatic, so that it is started
automatically during system startup. Registry entries are created
under:
HKLM\SYSTEM\CurrentControlSet\Services\Windows Fix Services\
W32/Tilebot-EW sets the following registry entries, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4
Registry entries are set as follows:
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
Registry entries are created under:
HKLM\SOFTWARE\Microsoft\Security Center\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\
Name Troj/Xorpix-E
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Trojan-Proxy.Win32.Xorpix.u
Prevalence (1-5) 2
Description
Troj/Xorpix-E is a proxy Trojan for the Windows platform.
Troj/Xorpix-A allows network traffic to be routed through an infected
computer as specified by a remote intruder.
Troj/Xorpix-E attempts to turn off security related services
including the Windows Security Centre and the Windows Firewall.
Troj/Xorpix-A may download and run further executable files.
Advanced
Troj/Xorpix-E is a proxy Trojan for the Windows platform.
Troj/Xorpix-A allows network traffic to be routed through an infected
computer as specified by a remote intruder.
Troj/Xorpix-E attempts to turn off security related services
including the Windows Security Centre and the Windows Firewall.
Troj/Xorpix-A may download and run further executable files.
When run, Troj/Xorpix-E will attempt to copy itself to the Windows
system folder and create registry entries under:
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\20242402reg
Name Troj/Agent-BOR
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Drops more malware
* Installs itself in the Registry
Aliases
* Backdoor.Win32.Agent.uu
Prevalence (1-5) 2
Description
Troj/Agent-BOR is a backdoor Trojan which allows a remote intruder to
gain access and control over the computer.
Advanced
Troj/Agent-BOR is a backdoor Trojan which allows a remote intruder to
gain access and control over the computer.
When Troj/Agent-BOR is installed it creates the file <Windows system
folder>\dcom_16.dll.
The file dcom_16.dll is detected as Troj/SpamThru-C.
The following registry entries are created to run code exported by
the Trojan libraries on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskSched
uler
{2C1CD3D7-86AC-4068-93BC-A02304BB8C34}
DCOM Server
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayL
oad
DCOM Server
{2C1CD3D7-86AC-4068-93BC-A02304BB8C34}
The file dcom_16.dll is registered as a COM object, creating registry
entries under:
HKCR\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304BB8C34}
--- MultiMail/Win32 v0.43
* Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)
|