Text 199, 1383 rader
Skriven 2006-07-09 23:49:00 av KURT WISMER (1:123/140)
Ärende: News, July 9, 2006
==========================
[cut-n-paste from sophos.com]
Name Troj/Zlob-PI
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
Aliases
* Trojan-Downloader.Win32.Zlob.we
* Puper.dll
Prevalence (1-5) 2
Description
Troj/Zlob-PI is a Trojan for the Windows platform.
Advanced
Troj/Zlob-PI is a Trojan for the Windows platform.
When run Troj/Zlob-PI creates the following files
<Program files>\ZipCodec\uninst.exe
<System>\regperf.exe
<System>\ld100.tmp.
The uninst.exe is a harmless file that when run will delete itself
and the <Program files>\ZipCodec folder. This file can be deleted.
The files <System>\regperf.exe and <System>\ld100.tmp are detected as
Troj/Zlob-PI.
The following registry entry is set to run regperf.exe on startup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run
wininet.dll
regperf.exe
Name Troj/Lineage-VJ
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
Aliases
* PWS-Lineage
Prevalence (1-5) 2
Description
Troj/Lineage-VJ is a password-stealing Trojan for the Windows platform.
Advanced
Troj/Lineage-VJ is a password-stealing Trojan for the Windows platform.
When Troj/Lineage-VJ is installed the following files are created:
<Windows>\svchost.exe
<System>\pdll.dll
Both of these files are detected as Troj/Lineage-VJ.
The following registry entry is changed to run Troj/Lineage-VJ on
startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System>\userinit.exe,<Windows>\svchost.exe,
(the default value for this registry entry is
"<Windows>\System32\userinit.exe,").
Name Troj/SpyDldr-J
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
* Leaves non-infected files on computer
Aliases
* Hoax.Win32.Renos.dk
* TFactory
* Win32/Hoax.Renos.DK
Prevalence (1-5) 2
Description
Troj/SpyDldr-J is a Trojan for the Windows platform.
Troj/SpyDldr-J creates registry entries and drops corrupt executable
files on the infected computer that indicate the presence the of
malware or adware on the computer and may generate fake alerts on the
presence of them.
Troj/SpyDldr-J may display the following fake error message:
Warning!
Local Security Authority Service ('lsass.exe') has encountered a
serious problem (possible spyware infection).
Click OK button to visit Windows Security Center web site and
download spyware remover to protect your
system against trojans, viruses and spyware. System scan is highly
recommended by Windows Security Center.
'lsass.exe' terminated unexpectedly with status code -1073741819
Advanced
Troj/SpyDldr-J is a Trojan for the Windows platform.
Troj/SpyDldr-J creates registry entries and drops corrupt executable
files on the infected computer that indicate the presence the of
malware or adware on the computer and may generate fake alerts on the
presence of them.
Troj/SpyDldr-J may display the following fake error message:
Warning!
Local Security Authority Service ('lsass.exe') has encountered a
serious problem (possible spyware infection).
Click OK button to visit Windows Security Center web site and
download spyware remover to protect your
system against trojans, viruses and spyware. System scan is highly
recommended by Windows Security Center.
'lsass.exe' terminated unexpectedly with status code -1073741819
Troj/SpyDldr-J attempts to download and install further files from a
remote website to the following locations:
<Windows system folder>\adobepnl.dll
<Windows system folder>\qjrkvy.exe
<Windows system folder>\reger.exe
<Windows system folder>\winflash.dll
Troj/SpyDldr-J attempts to download some of the following image files
to the Windows folder:
about_spyware_bg.gif
about_spyware_bottom.gif
as.gif
as_header.gif
bg.gif
box_1.gif
box_2.gif
box_3.gif
button_buynow.gif
button_freescan.gif
close-bar.gif
download_box.gif
features.gif
footer_back.gif
footer_back.jpg
header_1.gif
header_2.gif
header_3.gif
header_4.gif
infected.gif
main_back.gif
rf.gif
rf_header.gif
scan_btn.gif
security-center-bg.gif
security-center-logo.gif
security_center_caption.gif
sep_hor.gif
sep_vert.gif
spacer.gif
spyware-detected.gif
star.gif
star_gray.gif
star_gray_small.gif
star_small.gif
ts.gif
ts_header.gif
warning-bar-ico.gif
warning_icon.gif
win_logo.gif
Troj/SpyDldr-J creates some of the following files to pretend the
computer is infected with other malware and adware:
<Windows folder>\alexaie.dll
<Windows folder>\alxie328.dll
<Windows folder>\alxtb1.dll
<Windows folder>\BTGrab.dll
<Windows folder>\dlmax.dll
<Windows folder>\Pynix.dll
<Windows folder>\susp.exe
<Windows folder>\ZServ.dll
<Windows system folder>\a.exe
<Windows system folder>\alxres.dll
<Windows system folder>\bridge.dll
<Windows system folder>\dailytoolbar.dll
<Windows system folder>\jao.dll
<Windows system folder>\questmod.dll
<Windows system folder>\runsrv32.dll
<Windows system folder>\runsrv32.exe
<Windows system folder>\tcpservice2.exe
<Windows system folder>\txfdb32.dll
<Windows system folder>\udpmod.dll
<Windows system folder>\wstart.dll
Troj/SpyDldr-J creates some of the following registry entries to
pretend the computer is infected with other malware and adware:
HKCR\AlxTB.BHO
HKCR\AppID\{951B3138-AE8E-4676-A05A-250A5F111631}
HKCR\AppID\{F6BDB4E5-D6AA-4D1F-8B67-BCB0F2246E21}
HKCR\AppID\DailyToolbar.DLL
DailyToolbar
dailytoolbar.dll
HKCR\AppID\WStart.DLL
WStart
wstart.dll
HKCR\Bridge.brdg
Bridge
HKCR\CLSID\{58F9B276-E1CC-458e-8159-21CBC021874B}
HKCR\CLSID\{60e2e76b-60e2e76b-60e2e76b-60e2e76b-60e2e76b}
HKCR\CLSID\{80bb7465-a638-43b5-9827-8e8fe38dfcc1}
HKCR\CLSID\{8333C319-0669-4893-A418-F56D9249FCA6}
HKCR\CLSID\{9896231A-C487-43A5-8369-6EC9B0A96CC0}
HKCR\CLSID\{E52DEDBB-D168-4BDB-B229-C48160800E81}
url_relpacer
HKCR\CLSID\{F1FABE79-25FC-46de-8C5A-2C6DB9D64333}
HKCR\DailyToolbar.IEBand
DailyToolbar
HKCR\DailyToolbar.SysMgr
DailyToolbar
HKCR\IEToolbar.AffiliateCtl
IEToolbar
HKCR\Interface\{0BBB0424-E98E-4405-9A94-481854765C80}
HKCR\Interface\{0F3332B5-BC98-48AF-9FAC-05FEC94EBE73}
HKCR\Interface\{10195311-E434-47A9-ADBA-48839E3F7E4E}
HKCR\Interface\{3E60160F-0ED6-4DCC-B6B6-850CDE4FD217}
HKCR\Interface\{4FDBDBAD-FEFE-4C4C-9CC1-1181052AFB12}
HKCR\Interface\{A69107CC-BEC8-4A34-B474-211B0F46A764}
HKCR\Interface\{A6A68CBD-6673-41B1-B997-3F83A25B45B0}
HKCR\Interface\{ABAFA0B4-F78D-42E5-8C31-1A441D01C1DF}
HKCR\Interface\{B71C7D9A-DA43-4E8B-BB98-1684AC2AF324}
HKCR\Interface\{B7B84995-8B92-46BF-94AA-FA2F3DD23B84}
HKCR\Interface\{FA77AD79-09CF-41FB-B171-CC856F9E737F}
HKCR\jao.jao
jao
HKCR\PopMenu.Menu
PopMenu
HKCR\Popup.HTMLEvent.
HTMLEvent
HKCR\Popup.PopupKiller
PopupKiller
HKCR\TypeLib\{547AB549-4DD8-4ea0-B070-F6EA062148FF}
HKCR\TYPELIB\{c094876d-1b0e-46fa-b6a6-7ffc0f970c27}
HKCR\url_relpacer.URLResolver
url_relpacer
HKCR\WStart.WHttpHelper
HKCR\WStart.WHttpHelper.1
HKCU\Software\Microsoft\IPCheck
IPCheck
HKCU\Software\Microsoft\Windows\CurrentVersion\Runonce\Srv32 spool
service
Adware.Srv32
HKLM\SOFTWARE\Alexa Internet
Alexa Internet
HKLM\SOFTWARE\Alexa Toolbar
\Alexa Toolbar
HKLM\SOFTWARE\DailyToolbar
DailyToolbar
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
Objects\{00000000-59D4-4008-9058-080011001200}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
Objects\{00000000-C1EC-0345-6EC2-4D0300000000}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
Objects\{00000000-F09C-02B4-6EC2-AD0300000000}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
Objects\{3ceff6cd-6f08-4e4d-bccd-ff7415288c3b}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
Objects\{7b55bb05-0b4d-44fd-81a6-b136188f5deb}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
Objects\{8333c319-0669-4893-a418-f56d9249fca6}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
Objects\{9c691a33-7dda-4c2f-be4c-c176083f35cf}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
Objects\{e52dedbb-d168-4bdb-b229-c48160800e81}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
Objects\{ffd2825e-0785-40c5-9a41-518f53a8261f}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adware.Srv32
<Windows system folder>\runsrv32.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Transponder
<Windows system folder>\susp.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce\Srv32 spool
service
Adware.Srv32
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Alexa Toolbar
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\bridge
HKLM\SOFTWARE\NIX Solutions\DailyToolbar
DailyToolbar
HKLM\SOFTWARE\RespondMiter
Adware.Srv32
<Windows system folder>\runsrv32.exe
HKLM\SOFTWARE\Software\TPS108
Adware.Srv32
<Windows system folder>\runsrv32.exe
HKLM\SOFTWARE\Transponder
Adware.Srv32
<Windows system folder>\runsrv32.exe
HKLM\SOFTWARE\WSoft
WSoft
Name W32/Brontok-BB
Type
* Spyware Worm
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Installs itself in the Registry
* Leaves non-infected files on computer
Prevalence (1-5) 2
Description
W32/Brontok-BB is a mass-mailing worm for the Windows platform.
W32/Brontok-BB sends itself to email addresses found on the infected
computer
Advanced
W32/Brontok-BB is a mass-mailing worm for the Windows platform.
W32/Brontok-BB sends itself to email addresses found on the infected
computer.
Emails sent by the worm have the following characteristics:
If the recipient's address is Indonesian:
Subject: Fotoku yg Paling Cantik
Message text:
Hi,
Aku lg iseng aja pengen kirim foto ke kamu
Jangan lupain aku ya !.
Thanks
For all other addresses:
Subject: My Best Photo
Message text:
Hi,
I want to share my photo with you.
Wishing you all the best.
Regards,
Attachment name: Photo.zip
The zip file contains Photo.bmp and View-Photo.bat. View-Photo.bat
runs Photo.bmp.
Photo.bmp is an executable (currently detected as Troj/DwnLdr-AYN)
which attempts to download and execute a copy of the worm from a
preconfigured website. At the time of writing, this website is
unavailable.
W32/Brontok-BB closes windows whose titles contain any of the
following:
task manager
baca bro !!!
registry
command prompt
system configuration
group policy
cmd.exe
computer management
scheduled task
killbox
hijack
SYSINTERNAL
PROCESS EXP
REMOVER
CLEANER
anti
washer
ertanto
BROWNIES
movzx
killer
pcmedia
pc-media
rontok
rontox
robknot
commander
windows script
norman
norton
symantec
cillin
trendmicro
bitdef
kaspersky
avg
avira
virus
trojan
worm
mcafee
b.e
folder option
wintask
alwil
sex
porn
naked
cewe
bugil
telanjang
nod32
task view
peid
ahnlab
When first run W32/Brontok-BB copies itself to:
<User>\Local Settings\Application Data\dv<random>\yesbron.com
<User>\Local Settings\Application Data\jalak<random>.com
<Windows>\_default<random>.pif
<Windows>\j<random>.exe
<Windows>\o<random>.exe
<Windows>\sa<random>\ib<random>.exe
<System>\c<random>.com
<System>\n<random>\b<random>.exe
<System>\n<random>\csrss.exe
<System>\n<random>\lsass.exe
<System>\n<random>\services.exe
<System>\n<random>\smss.exe
<System>\n<random>\sv<random>.exe
<System>\n<random>\winlogon.exe
where <random> is a sequence of randomly generated numbers.
and creates the following files:
Baca Bro !!!.txt
<Windows>\Tasks\At1.job
<Windows>\Tasks\At2.job
<System>\n5817\c.bron.tok.txt
These files can be deleted.
The .job files each contain a scheduled task, instructing Windows to
execute the installed copies of the worm once per day.
W32/Brontok-BB may install a new version of the file
<System>\msvbvm60.dll.
The following registry entries are created to run yesbron.com,
_default<random>.pif, j<random>.exe and sv<random>.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run
<random characters>
<User>\Local Settings\Application Data\dv<random>\yesbron.com
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run
<random characters>
<Windows>\_default<random>.pif
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
<random characters>
<System>\n<random>\sv<random>.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
<random characters>
<Windows>\j<random>.exe
The following registry entries are changed to run j<random>.exe and
o<random>.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe "<Windows>\o<random>.exe"
(the default value for this registry entry is "Explorer.exe" which
causes the Microsoft file <Windows>\Explorer.exe to be run on startup).
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System>\userinit.exe,<Windows>\j<random>.exe
(the default value for this registry entry is
"<Windows>\System32\userinit.exe,").
The following registry entry is set, disabling the registry editor
(regedit):
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
Registry entries are set as follows:
HKCU\Software\Brontok
Message
Look @ "C:\Baca Bro !!!.txt"
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0
Registry entries are created under:
HKCU\Software\Brontok\
Name Troj/Banker-CSX
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Steals information
* Forges the sender's email address
* Uses its own emailing engine
* Reduces system security
* Installs itself in the Registry
* Monitors browser activity
Aliases
* Trojan-Spy.Win32.Banker.ark
Prevalence (1-5) 2
Description
Troj/Banker-CSX is an internet banking Trojan for the Windows platform.
When run Troj/Banker-CSX attempts to disable software that may be
running on the user's computer.
Troj/Banker-CSX then continuously monitors Microsoft Internet
Explorer for certain strings related to internet banking websites.
Once a match is found, Troj/Banker-CSX will display a fake login
screen, prompting the user to enter confidential information.
Advanced
Troj/Banker-CSX is an internet banking Trojan for the Windows platform.
When run Troj/Banker-CSX attempts to disable software that may be
running on the user's computer.
Troj/Banker-CSX then continuously monitors Microsoft Internet
Explorer for certain strings related to internet banking websites.
Once a match is found, Troj/Banker-CSX will display a fake login
screen, prompting the user to enter confidential information.
Troj/Banker-CSX sends the harvested information to a remote address
via SMTP.
Troj/Banker-CSX copies itself to <System>\nvcpll.exe.
Troj/Banker-CSX creates the following registry entry to run
nvcpll.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
nvcpll
<System>\nvcpll.exe
Name Troj/Clagger-V
Type
* Trojan
Affected operating systems
* Windows
Prevalence (1-5) 2
Description
Troj/Clagger-V is a Trojan downloader for the Windows platform.
Troj/Clagger-V attempts to download a file from a remote website to
<Windows>\new.exe and execute it.
Troj/Clagger-V drops the clean file 1.bat to the same folder as
itself in order to delete itself.
Advanced
Troj/Clagger-V is a Trojan downloader for the Windows platform.
Troj/Clagger-V attempts to download a file from a remote website to
<Windows>\new.exe and execute it.
Troj/Clagger-V sets the following registry entry in order to bypass
the Windows firewall:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
FiREWaLLpolicy\StAnDaRDPrOFiLe\AUtHorizedapplications\List
<Trojan filename>
<Trojan filename>:*:ENABLED:0
Troj/Clagger-V drops the clean file 1.bat to the same folder as
itself in order to delete itself.
Name Troj/Cimuz-AO
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals credit card details
* Steals information
* Installs itself in the Registry
* Installs a browser helper object
Aliases
* Win32/Spy.Agent.EO
* Spy-Agent.ba
Prevalence (1-5) 2
Description
Troj/Cimuz-AO is an information-stealing Trojan for the Windows
platform.
Troj/Cimuz-AO attempts to steal information such as email account
usernames and passwords, as well as creating screenshots to capture
information such as banking details, and may send the stolen
information to a remote user via FTP.
Advanced
Troj/Cimuz-AO is an information-stealing Trojan for the Windows
platform.
Troj/Cimuz-AO attempts to steal information such as email account
usernames and passwords, as well as creating screenshots to capture
information such as banking details, and may send the stolen
information to a remote user via FTP.
Troj/Cimuz-AO drops the file <System>\ipv6mons.dll, also detected
as Troj/Cimuz-AO. This file is registered as a COM object and Browser
Helper Object (BHO) for Microsoft Internet Explorer, creating
registry entries under:
HKCR\CLSID\{73364D99-1240-4dff-B11A-67E448373048}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper ObJects\{73364D99-1240-4dff-B11A-67E448373048}
The following registry entry is set, affecting internet security:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Firewall
Policy\StandardProfile\AuthorizedApplications\List\<Program
Files>\Internet Explorer
IEXPLORE.EXE
"<Program Files>\\Internet
Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"
Troj/Cimuz-AO creates the following registry value:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Control
Panel\load\net_insll
Name Troj/Ogre-A
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
* Records keystrokes
* Monitors browser activity
Aliases
* Trojan-Spy.Win32.Bancos.px
* Win32/Spy.Bancos.IV
Prevalence (1-5) 2
Description
Troj/Ogre-A is a password-stealing Trojan for the Windows platform.
Advanced
Troj/Ogre-A is a password-stealing Trojan for the Windows platform.
Troj/Ogre-A attempts to steal confidential data when a user attempts
to access Orkut.
Troj/Ogre-A will display a fake login screen for Orkut when a user
accesses the website via a web browser.
Name W32/Looked-B
Type
* Virus
How it spreads
* Network shares
* Infected files
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Worm.Win32.Viking.n
* Win32/Viking.N
Prevalence (1-5) 2
Description
W32/Looked-B is a Windows executable virus and network worm.
The virus infects EXE files found on the infected computer. The virus
also attempts to copy itself to remote network shares.
Advanced
W32/Looked-B is a Windows executable virus and network worm.
When first run the virus copies itself to <Windows>\rundl132.exe and
creates a file <Windows>\vDll.dll, also detected as W32/Looked-B.
This file attempts to download further malicious code.
The virus infects EXE files found on the infected computer. The virus
also attempts to copy itself to remote network shares.
Many files with the name "_desktop.ini" are created, in various
folders on the infected computer. These files are harmless text files.
The following registry entry is created in order to run the virus on
startup:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
load
<Windows>\rundl132.exe
Name Troj/Cimuz-AP
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Drops more malware
Aliases
* Spy-Agent.ak
Prevalence (1-5) 2
Description
Troj/Cimuz-AP is a Trojan for the Windows platform.
Advanced
Troj/Cimuz-AP is a Trojan for the Windows platform.
When Troj/Cimuz-AP is installed it creates the file
<System>\ipv6mons.dll.
The file ipv6mons.dll is detected as Troj/Cimuz-Gen.
The file ipv6mons.dll is registered as a COM object and Browser
Helper Object (BHO) for Microsoft Internet Explorer, creating
registry entries under:
HKCR\CLSID\(73364D99-1240-4dff-B11A-67E448373048)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\browser
helper obJects\(73364D99-1240-4dff-B11A-67E448373048)
The following registry entries are set, affecting internet security:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Firewall
Policy\
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Firewall
Policy\StandardProfile\
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Firewall
Policy\StandardProfile\AuthorizedApplications\
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Firewall
Policy\StandardProfile\AuthorizedApplications\List\
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Firewall
Policy\StandardProfile\AuthorizedApplications\List\\Internet Explorer
IEXPLORE.EXE
<Program Files>\Internet Explorer\IEXPLORE.EXE:*:Enabled:Internet
Explorer
Name Troj/Agent-CDK
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
Aliases
* Trojan-Downloader.Win32.Agent.nw
* W32/Agent.XR
* Downloader-LE.gen
* Win32/TrojanDownloader.Agent.LG
Prevalence (1-5) 2
Description
Troj/Agent-CDK is a Trojan for the Windows platform.
Troj/Agent-CDK includes functionality to download, install and run
new software.
Troj/Agent-CDK also contains functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
Troj/Agent-CDK is a Trojan for the Windows platform.
Troj/Agent-CDK includes functionality to download, install and run
new software.
Troj/Agent-CDK also contains functionality to access the internet and
communicate with a remote server via HTTP.
When first run Troj/Agent-CDK copies itself to <Windows system
folder>\[random1]\[random2].exe. (Where random1 and random2 are a
randomly generated names containing 6 and 5 characters respectively.)
The following registry entry is created to run cosvcx.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
[random2]
<Windows system folder>\[random1]\[random2].exe
The file [random2].exe is registered as a COM object, creating
registry entries under:
HKCR\CLSID\{86999974-0C67-0C36-58D5-200AED9213EB}
Troj/Agent-CDK changes settings for Microsoft Internet Explorer by
modifying values under:
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\
The following registry entry is set, affecting internet security:
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\ProxyServer
Name Troj/Dloadr-YT
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
Aliases
* Trojan-Downloader.Win32.Small.cul
Prevalence (1-5) 2
Description
Troj/Dloadr-YT is a downloading Trojan for the Windows platform.
Advanced
Troj/Dloadr-YT is a downloading Trojan for the Windows platform.
The Trojan includes functionality to access the internet and
communicate
with a remote server via HTTP.
When first run Troj/Dloadr-YT copies itself to <System>\upnp.exe.
The file being downloaded was unavailable at the time of writing.
The following registry entry is created to run upnp.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
upnp
<System>\upnp.exe
The following registry entries are set, affecting internet security:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Firewall
Policy
StandardProfile\AuthorizedApplications\List
<pathname of the Trojan executable>
<original filename>:*:Enabled:<original filename>
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Firewall
Policy
StandardProfile\AuthorizedApplications\List\
<System>\upnp.exe
<System>\upnp.exe:*:Enabled:upnp
Name W32/Bagle-KN
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Forges the sender's email address
* Downloads code from the internet
* Installs itself in the Registry
* Leaves non-infected files on computer
Prevalence (1-5) 2
Description
W32/Bagle-KN is a mass-mailing worm and downloader Trojan for the
Windows platform.
Emails sent by the worm have the following characteristics:
The sender's email address is spoofed.
Message text chosen from:
To the beloved
I love you
And appended with any of the following strings:
archive password: <link to imagefile containing password>
The password is <link to imagefile containing password>
Password -- <link to imagefile containing password>
Use password <link to imagefile containing password> to open archive.
Password is <link to imagefile containing password>
Zip password: <link to imagefile containing password>
archive password: <link to imagefile containing password>
Password - <link to imagefile containing password>
Password: <link to imagefile containing password>
The email comes with 2 file attachments:
<random characters>.GIF
<random name>.ZIP
The file <random characters>.GIF contains a GIF image which contains
the password to unzip the ZIP file.
The file <random name>.ZIP when unzipped contains 2 files:
<random characters>\<random characters>.dll - this file may be safely
deleted
<random characters>.exe - detected as W32/Bagle-KN
Advanced
W32/Bagle-KN is a mass-mailing worm and downloader Trojan for the
Windows platform.
When run W32/Bagle-KN creates the file <User>\Application
Data\hidn\m_hook.sys. This file is also detected as W32/Bagle-KN and
includes functionality to terminate anti-virus and system-related
processes and to hide processes.
The file m_hook.sys is registered as a new system driver service
named "m_hook", with a display name of "Empty" and a startup type of
automatic, so that it is started automatically during system startup.
Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_M_HOOK\
HKLM\SYSTEM\CurrentControlSet\Services\m_hook\
The following registry entry is also set:
HKCU\Software\FirstRuxzx
FirstRun
1
W32/Bagle-KN also creates the file C:\error.gif. This is a GIF file
which is also subsequently run and can be safely deleted.
Emails sent by the worm have the following characteristics:
The sender's email address is spoofed.
Message text chosen from:
To the beloved
I love you
And appended with any of the following strings:
archive password: <link to imagefile containing password>
The password is <link to imagefile containing password>
Password -- <link to imagefile containing password>
Use password <link to imagefile containing password> to open archive.
Password is <link to imagefile containing password>
Zip password: <link to imagefile containing password>
archive password: <link to imagefile containing password>
Password - <link to imagefile containing password>
Password: <link to imagefile containing password>
The email comes with 2 file attachments:
<random characters>.GIF
<random name>.ZIP
The file <random characters>.GIF contains a GIF image which contains
the password to unzip the ZIP file.
The file <random name>.ZIP when unzipped contains 2 files:
<random characters>\<random characters>.dll - this file may be safely
deleted
<random characters>.exe - detected as W32/Bagle-KN
W32/Bagle-KN may also copy itself to <User>\Application
Data\hidn\hidn1.exe and sets the following registry entry to run
hidn1.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
drv_st_key
<path to worm executable>
Name W32/Oscabot-O
Type
* Worm
How it spreads
* Chat programs
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
Aliases
* Backdoor.Win32.Aimbot.v
Prevalence (1-5) 2
Description
W32/Oscabot-O is a Trojan for the Windows platform.
W32/Oscabot-O runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
Advanced
W32/Oscabot-O is a Trojan for the Windows platform.
W32/Oscabot-O runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Oscabot-O spreads via AOL Instant Messenger.
When first run W32/Oscabot-O copies itself to <Windows>\msclean.exe.
The following registry entry is created to run msclean.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
msclean
<Windows>\msclean.exe
The following registry entry is set:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
msclean
msclean.exe<Windows>\msclean.exe
Name Troj/LowZone-CX
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Reduces system security
* Installs itself in the Registry
* Modifies browser settings
Aliases
* Trojan.Win32.LowZones.dt
* QLowZones-2.gen
* Trojan.LowZones
* TROJ_LOWZONE.AF
Prevalence (1-5) 2
Description
Troj/LowZone-CX is a Trojan for the Windows platform.
Troj/LowZone-CX includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
Troj/LowZone-CX is a Trojan for the Windows platform.
Troj/LowZone-CX includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run Troj/LowZone-CX copies itself to <Windows system
folder>\bikini.exe.
The following registry entry is created to run bikini.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
bikini
bikini.exe
The following registry entry is set, affecting internet security:
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\3
CurrentLevel
11
Name Troj/Dloadr-ZL
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Aliases
* Trojan-Downloader.Win32.Delf.qz
Prevalence (1-5) 2
Description
Troj/Dloadr-ZL is a Trojan for the Windows platform.
Troj/Dloadr-ZL includes functionality to download, install and run
new software.
Advanced
Troj/Dloadr-ZL is a Trojan for the Windows platform.
Troj/Dloadr-ZL includes functionality to download, install and run
new software.
When first run, Troj/Dloadr-ZL downloads a file from a remote server
called manual.exe. This file is written to <System>\Explorer.EXE
and executed. The file <System>\Explorer.EXE is detected by Sophos
as Troj/Bnkmr-Fam.
Name Troj/Sharp-S
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Trojan.Win32.Enfal.f
* Win32/Spy.Agent.M
Prevalence (1-5) 2
Description
Troj/Sharp-S is a backdoor Trojan for the Windows platform.
Troj/Sharp-S includes functionality to access the internet and
communicate with a remote server via HTTP.
Troj/Sharp-S injects several threads into the explorer process space.
Advanced
Troj/Sharp-S is a backdoor Trojan for the Windows platform.
Troj/Sharp-S includes functionality to access the internet and
communicate with a remote server via HTTP.
Troj/Sharp-S injects several threads into the explorer process space.
The Trojan copies itself to the Windows system folder as dllhst2d.exe
and dt7x.exe.
Troj/Sharp-R will modify the following registry entry to ensure the
Trojan is run on Windows Login:
HKLM\SOFTWARE\Microsoft\Windows NT\Winlogon
Userinit
<original registry entry data>,<Windows system folder>\dllhst2d.exe
--- MultiMail/Win32 v0.43
* Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)
|