Tillbaka till svenska Fidonet
English   Information   Debug  
TRAPDOOR   0/19
TREK   0/755
TUB   0/290
UFO   0/40
UNIX   0/1316
USA_EURLINK   0/102
USR_MODEMS   0/1
VATICAN   0/2740
VIETNAM_VETS   0/14
VIRUS   0/378
VIRUS_INFO   0/201
VISUAL_BASIC   0/473
WHITEHOUSE   0/5187
WIN2000   0/101
WIN32   0/30
WIN95   0/4289
WIN95_OLD1   0/70272
WINDOWS   0/1517
WWB_SYSOP   0/419
WWB_TECH   0/810
ZCC-PUBLIC   0/1
ZEC   4

 
4DOS   0/134
ABORTION   0/7
ALASKA_CHAT   0/506
ALLFIX_FILE   0/1313
ALLFIX_FILE_OLD1   0/7997
ALT_DOS   0/152
AMATEUR_RADIO   0/1039
AMIGASALE   0/14
AMIGA   0/331
AMIGA_INT   0/1
AMIGA_PROG   0/20
AMIGA_SYSOP   0/26
ANIME   0/15
ARGUS   0/924
ASCII_ART   0/340
ASIAN_LINK   0/651
ASTRONOMY   0/417
AUDIO   0/92
AUTOMOBILE_RACING   0/105
BABYLON5   0/17862
BAG   135
BATPOWER   0/361
BBBS.ENGLISH   0/382
BBSLAW   0/109
BBS_ADS   0/5290
BBS_INTERNET   0/507
BIBLE   0/3563
BINKD   0/1119
BINKLEY   0/215
BLUEWAVE   0/2173
CABLE_MODEMS   0/25
CBM   0/46
CDRECORD   0/66
CDROM   0/20
CLASSIC_COMPUTER   0/378
COMICS   0/15
CONSPRCY   0/899
COOKING   33421
COOKING_OLD1   0/24719
COOKING_OLD2   0/40862
COOKING_OLD3   0/37489
COOKING_OLD4   0/35496
COOKING_OLD5   9370
C_ECHO   0/189
C_PLUSPLUS   0/31
DIRTY_DOZEN   0/201
DOORGAMES   0/2065
DOS_INTERNET   0/196
duplikat   6002
ECHOLIST   0/18295
EC_SUPPORT   0/318
ELECTRONICS   0/359
ELEKTRONIK.GER   1534
ENET.LINGUISTIC   0/13
ENET.POLITICS   0/4
ENET.SOFT   0/11701
ENET.SYSOP   33945
ENET.TALKS   0/32
ENGLISH_TUTOR   0/2000
EVOLUTION   0/1335
FDECHO   0/217
FDN_ANNOUNCE   0/7068
FIDONEWS   24159
FIDONEWS_OLD1   0/49742
FIDONEWS_OLD2   0/35949
FIDONEWS_OLD3   0/30874
FIDONEWS_OLD4   0/37224
FIDO_SYSOP   12852
FIDO_UTIL   0/180
FILEFIND   0/209
FILEGATE   0/212
FILM   0/18
FNEWS_PUBLISH   4436
FN_SYSOP   41707
FN_SYSOP_OLD1   71952
FTP_FIDO   0/2
FTSC_PUBLIC   0/13613
FUNNY   0/4886
GENEALOGY.EUR   0/71
GET_INFO   105
GOLDED   0/408
HAM   0/16074
HOLYSMOKE   0/6791
HOT_SITES   0/1
HTMLEDIT   0/71
HUB203   466
HUB_100   264
HUB_400   39
HUMOR   0/29
IC   0/2851
INTERNET   0/424
INTERUSER   0/3
IP_CONNECT   719
JAMNNTPD   0/233
JAMTLAND   0/47
KATTY_KORNER   0/41
LAN   0/16
LINUX-USER   0/19
LINUXHELP   0/1155
LINUX   0/22112
LINUX_BBS   0/957
mail   18.68
mail_fore_ok   249
MENSA   0/341
MODERATOR   0/102
MONTE   0/992
MOSCOW_OKLAHOMA   0/1245
MUFFIN   0/783
MUSIC   0/321
N203_STAT   930
N203_SYSCHAT   313
NET203   321
NET204   69
NET_DEV   0/10
NORD.ADMIN   0/101
NORD.CHAT   0/2572
NORD.FIDONET   189
NORD.HARDWARE   0/28
NORD.KULTUR   0/114
NORD.PROG   0/32
NORD.SOFTWARE   0/88
NORD.TEKNIK   0/58
NORD   0/453
OCCULT_CHAT   0/93
OS2BBS   0/787
OS2DOSBBS   0/580
OS2HW   0/42
OS2INET   0/37
OS2LAN   0/134
OS2PROG   0/36
OS2REXX   0/113
OS2USER-L   207
OS2   0/4786
OSDEBATE   0/18996
PASCAL   0/490
PERL   0/457
PHP   0/45
POINTS   0/405
POLITICS   0/29554
POL_INC   0/14731
PSION   103
R20_ADMIN   1123
R20_AMATORRADIO   0/2
R20_BEST_OF_FIDONET   13
R20_CHAT   0/893
R20_DEPP   0/3
R20_DEV   399
R20_ECHO2   1379
R20_ECHOPRES   0/35
R20_ESTAT   0/719
R20_FIDONETPROG...
...RAM.MYPOINT
  0/2
R20_FIDONETPROGRAM   0/22
R20_FIDONET   0/248
R20_FILEFIND   0/24
R20_FILEFOUND   0/22
R20_HIFI   0/3
R20_INFO2   3249
R20_INTERNET   0/12940
R20_INTRESSE   0/60
R20_INTR_KOM   0/99
R20_KANDIDAT.CHAT   42
R20_KANDIDAT   28
R20_KOM_DEV   112
R20_KONTROLL   0/13300
R20_KORSET   0/18
R20_LOKALTRAFIK   0/24
R20_MODERATOR   0/1852
R20_NC   76
R20_NET200   245
R20_NETWORK.OTH...
...ERNETS
  0/13
R20_OPERATIVSYS...
...TEM.LINUX
  0/44
R20_PROGRAMVAROR   0/1
R20_REC2NEC   534
R20_SFOSM   0/341
R20_SF   0/108
R20_SPRAK.ENGLISH   0/1
R20_SQUISH   107
R20_TEST   2
R20_WORST_OF_FIDONET   12
RAR   0/9
RA_MULTI   106
RA_UTIL   0/162
REGCON.EUR   0/2056
REGCON   0/13
SCIENCE   0/1206
SF   0/239
SHAREWARE_SUPPORT   0/5146
SHAREWRE   0/14
SIMPSONS   0/169
STATS_OLD1   0/2539.065
STATS_OLD2   0/2530
STATS_OLD3   0/2395.095
STATS_OLD4   0/1692.25
SURVIVOR   0/495
SYSOPS_CORNER   0/3
SYSOP   0/84
TAGLINES   0/112
TEAMOS2   0/4530
TECH   0/2617
TEST.444   0/105
Möte VIRUS, 378 texter
 lista första sista föregående nästa
Text 201, 967 rader
Skriven 2006-07-23 17:53:00 av KURT WISMER (1:123/140)
Ärende: News, July 23 2006
==========================
[cut-n-paste from sophos.com]

Name   Troj/Agent-CIG

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Steals information
    * Installs itself in the Registry

Aliases  
    * Spy-Agent.at
    * Trojan.Win32.Agent.vp
    * Win32/Agent.NBR

Prevalence (1-5) 2

Description
Troj/Agent-CIG is a Trojan for the Windows platform.

Troj/Agent-CIG will attempt to communicate with several different web
addresses.

Advanced
Troj/Agent-CIG is a Trojan for the Windows platform.

When executed Troj/Agent-CIG will create a copy of itself with a 
random name in
the <system> folder and will create registry entries under

HKCR\CLSID\(2ee25147-37d4-4640-832c-fccfac8b21d9) and
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser 
Helper Objects

Troj/Agent-CIG will attempt to communicate with several different web
addresses.





Name   Troj/Banker-CZP

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Steals information
    * Installs itself in the Registry

Aliases  
    * Trojan-Spy.Win32.Banker.anv
    * PWS-Banker.gen.aa

Prevalence (1-5) 2

Description
Troj/Banker-CZP is a Trojan for the Windows platform.

Troj/Banker-CZP includes functionality to send notification messages 
to remote locations.

Advanced
Troj/Banker-CZP is a Trojan for the Windows platform.

Troj/Banker-CZP includes functionality to send notification messages 
to remote locations.

When first run Troj/Banker-CZP copies itself to:

<Startup>\msnmsgr.exe
<Windows>\Config\msnmsgr.exe

The following registry entry is created to run msnmsgr.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
msnmsgr
<Windows>\Config\msnmsgr.exe





Name   W32/Feebs-AX

Type  
    * Worm

How it spreads  
    * Email attachments

Affected operating systems  
    * Windows

Side effects  
    * Drops more malware
    * Forges the sender's email address
    * Uses its own emailing engine
    * Installs itself in the Registry

Aliases  
    * Worm.Win32.Feebs.hc
    * W32/Feebs.DW
    * JS/TrojanDropper.Tivso.gen

Prevalence (1-5) 2

Description
W32/Feebs-AX is a worm for the Windows platform.

W32/Feebs-AX spreads by sending itself to email address harvested 
from the infected computer and via file sharing on P2P networks.

Emails sent by the worm have the following text:

You have received <random text>

To read the message open the attached file.

User ID: <number>
Password: <number>

Keep your password in a safe place.

Advanced
W32/Feebs-AX is a worm for the Windows platform.

W32/Feebs-AX spreads by sending itself to email address harvested 
from the infected computer and via file sharing on P2P networks.

Emails sent by the worm have the following text:

You have received <random text>

To read the message open the attached file.

User ID: <number>
Password: <number>

Keep your password in a safe place.

When first run W32/Feebs-AX drops the file C:\Recycled\userinit.exe, 
detected as W32/Feebs-Gen. This file also copies itself to <Windows 
system folder>\ms??.exe and drops the file <Windows system 
folder>\ms??32.dll, detected as W32/Feebs-AT, where ?? are randomly 
chosen characters.

This dropped file also copies itself to P2P folders with the 
following filenames:

3dsmax_9_(3D_Studio_Max)_new!_full+crack.zip
ACDSee_9_new!_full+crack.zip
Adobe_Photoshop_10_(CS3)_new!_full+crack.zip
Adobe_Premiere_9_(2.0_pro)_new!_full+crack.zip
Ahead_Nero_8_new!_full+crack.zip
DivX_7.0_new!_full+crack.zip
ICQ_2006_new!_full+crack.zip
Internet_Explorer_7_new!_full+crack.zip
Kazaa_4_new!_full+crack.zip
Longhorn_new!_full+crack.zip
Microsoft_Office_2006_new!_full+crack.zip
winamp_5.2_new!_full+crack.zip

The following registry entry is created to run code exported by the 
worm library on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayL
oad
ms??32.dll
<clsid value>

The file ms??32.dll is registered as a COM object, creating registry 
entries under:

HKCR\CLSID\<clsid value>





Name   Troj/Dloadr-AIZ

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet

Aliases  
    * Trojan-Downloader.Win32.VB.me

Prevalence (1-5) 2

Description
Troj/Dloadr-AIZ is an downloader Trojan for the Windows platform.

When executed, the Trojan may attempt to download a file from a 
remote address to C:\messenger.exe and execute it.

The downloaded file was unavailable at the time of writing.





Name   Troj/Xorpix-H

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Dropped by malware

Aliases  
    * Trojan-Proxy.Win32.Xorpix.ab

Prevalence (1-5) 2

Description
Troj/Xorpix-H is a Trojan for the Windows platform.

Troj/Xorpix-H is dropped by Troj/Dropper-KT.





Name   W32/Tilebot-GC

Type  
    * Worm

How it spreads  
    * Network shares
    * Chat programs

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Aliases  
    * Backdoor.Win32.SdBot.aad
    * W32.Spybot.Worm

Prevalence (1-5) 2

Description
W32/Tilebot-GC is a worm and IRC backdoor for the Windows platform.

W32/Tilebot-GC spreads to other network computers by exploiting 
common buffer overflow vulnerabilities, including: LSASS 
(http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx), 
RPC-DCOM 
(http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx), 
WKS 
(http://www.microsoft.com/technet/security/bulletin/ms03-049.mspx) 
(CAN-2003-0812), PNP 
(http://www.microsoft.com/technet/security/bulletin/ms05-039.mspx) 
and ASN.1 
(http://www.microsoft.com/technet/security/bulletin/ms04-007.mspx) 
and by copying itself to network shares protected by weak passwords.

W32/Tilebot-GC runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

Advanced
W32/Tilebot-GC is a worm and IRC backdoor for the Windows platform.

W32/Tilebot-GC spreads to other network computers by exploiting 
common buffer overflow vulnerabilities, including: LSASS 
(http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx), 
RPC-DCOM 
(http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx), 
WKS 
(http://www.microsoft.com/technet/security/bulletin/ms03-049.mspx) 
(CAN-2003-0812), PNP 
(http://www.microsoft.com/technet/security/bulletin/ms05-039.mspx) 
and ASN.1 
(http://www.microsoft.com/technet/security/bulletin/ms04-007.mspx) 
and by copying itself to network shares protected by weak passwords.

W32/Tilebot-GC runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

When first run W32/Tilebot-GC copies itself to <Windows 
folder>\wincrypt32.exe.

The file wincrypt32.exe is registered as a new system driver service 
named "wincrypt32.exe", with a display name of "Windows Decrypt 
manager" and a startup type of automatic, so that it is started 
automatically during system startup. Registry entries are created 
under:

HKLM\SYSTEM\CurrentControlSet\Services\wincrypt32.exe\

W32/Tilebot-GC sets the following registry entries, disabling the 
automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4

Registry entries are set as follows:

HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1

Registry entries are created under:

HKLM\SOFTWARE\Microsoft\Security Center\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\





Name   Troj/Servu-DD

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Leaves non-infected files on computer

Aliases  
    * Backdoor.Win32.ServU-based
    * Serv-U.dr

Prevalence (1-5) 2

Description
Troj/Servu-DD is a hacked version of a commercially available FTP 
server that will listen on a port for incoming commands from a remote 
attacker.

Troj/Servu-DD will create a text file called patch.dll in the current 
folder.





Name   Troj/Dloadr-AJG

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet

Aliases  
    * Trojan-Downloader.Win32.Small.cxh

Prevalence (1-5) 2

Description
Troj/Dloadr-AJG is a Trojan for the Windows platform.

Advanced
Troj/Dloadr-AJG is a Trojan for the Windows platform.

Troj/Dloadr-AJG has the functionality to silently download, install 
and run new software.

When run, the Trojan may create the following files

c:\ntldr1.exe (Detected as Troj/DwnLdr-BON)
c:\ntldr2.exe (Detected as Troj/Prelo-A)
c:\ntldr3.exe (Detected as Troj/DownLdr-QK)
c:\ntldr4.exe (Detected as Troj/Harnig-AK)
c:\ntldr5.exe (Not available at time of writing)





Name   Troj/Ranck-EP

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Installs itself in the Registry

Aliases  
    * Trojan-Proxy.Win32.Ranky.fw

Prevalence (1-5) 2

Description
Troj/Ranck-EP is a proxy Trojan that allows a remote intruder to 
route HTTP traffic through the computer.

Advanced
Troj/Ranck-EP is a proxy Trojan that allows a remote intruder to 
route HTTP traffic through the computer.

The following registry entry is created to run Troj/Ranck-EP on 
startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Services
<pathname of the Trojan executable>

Troj/Ranck-EP runs continuously in the background listening on a port.

Troj/Ranck-EP has been seen pretending to be a version of Google 
Toolbar.





Name   Troj/Dropper-KY

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Drops more malware
    * Leaves non-infected files on computer

Aliases  
    * Trojan-Spy.Win32.Banbra.gi
    * PWS-Banker.gen.b

Prevalence (1-5) 2

Description
Troj/Dropper-KY is a Trojan dropper for the Windows platform.

Advanced
Troj/Dropper-KY is a Trojan dropper for the Windows platform.

Troj/Dropper-KY creates temporary files in the current or Windows 
folder with filenames starting "SXE", often SXE1.TMP, SXE2.TMP and 
SXE3.TMP. Two files are related to a clean DLL, the third is detected 
as Troj/Banker-CZS.





Name   W32/Rbot-ETT

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Allows others to access the computer
    * Downloads code from the internet
    * Reduces system security
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Aliases  
    * Backdoor.Win32.Rbot.aym
    * WORM_RBOT.NV

Prevalence (1-5) 2

Description
W32/Rbot-ETT is a worm and IRC backdoor for the Windows platform.

W32/Rbot-ETT spreads to computers vulnerable to common exploits, 
including: RPC-ETTCOM 
(http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx) 
and WKS 
(http://www.microsoft.com/technet/security/bulletin/ms03-049.mspx)
to MSSQL servers protected by weak passwords to network shares

W32/Rbot-ETT runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

Advanced
W32/Rbot-ETT is a worm and IRC backdoor for the Windows platform.

W32/Rbot-ETT spreads to computers vulnerable to common exploits, 
including: RPC-ETTCOM 
(http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx) 
and WKS 
(http://www.microsoft.com/technet/security/bulletin/ms03-049.mspx)
to MSSQL servers protected by weak passwords to network shares

W32/Rbot-ETT runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

When first run W32/Rbot-ETT copies itself to <Windows system 
folder>\msconfigs.exe.

The following registry entries are created to run msconfigs.exe on 
startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Configoration Service
msconfigs.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Configoration Service
msconfigs.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Configoration Service
msconfigs.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Configoration Service
msconfigs.exe

Registry entries are set as follows:

HKCU\SYSTEM\CurrentControlSet\Control\Lsa
Microsoft Configoration Service
msconfigs.exe

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
Microsoft Configoration Service
msconfigs.exe

HKCU\Software\Microsoft\OLE
Microsoft Configoration Service
msconfigs.exe

HKLM\SOFTWARE\Microsoft\Ole
Microsoft Configoration Service
msconfigs.exe





Name   Troj/Hyder-A

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Reduces system security
    * Installs itself in the Registry

Aliases  
    * Trojan.Win32.Agent.vp

Prevalence (1-5) 2

Description
Troj/Hyder-A is a Trojan for the Windows platform.

Troj/Hyder-A includes functionality to access the internet and 
communicate with a remote server via HTTP.

Advanced
Troj/Hyder-A is a Trojan for the Windows platform.

Troj/Hyder-A includes functionality to access the internet and 
communicate with a remote server via HTTP.

When Troj/Hyder-A is installed, the Trojan creates a hidden local 
admin account on the compromised computer. It also creates the 
following file:

<Common Files>\System\<name>.exe, where <name> is either lpt or com 
and a number. This file is also detected as Troj/Hyder-A.

The file <name>.exe is registered as a new system driver service 
named "<random characters>", with a display name of "<random 
characters>" and a startup type of automatic, so that it is started 
automatically during system startup. Registry entries are created 
under:

HKLM\SYSTEM\CurrentControlSet\Services\<random characters>\

After a certain amount of time, Troj/Hyder-A will attempt to download 
files from a remote location. At the time of writing, the files were 
unavailable for download.

The following registry entry is set:

HKLM\SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
<random characters>
0





Name   W32/VB-CAI

Type  
    * Worm

How it spreads  
    * Peer-to-peer

Affected operating systems  
    * Windows

Side effects  
    * Installs itself in the Registry

Aliases  
    * Virus.Win32.VB.p
    * Infection:
    * trojan

Prevalence (1-5) 2

Description
W32/VB-CAI is a Peer-to-peer worm for the Windows platform.

Advanced
W32/VB-CAI is a P2P worm for the Windows platform.

When first run W32/VB-CAI copies itself into <Windows>\config_.com 
and various
file sharing folders under different names like for example
\My Music\My Music.exe
\My Shared Folder\My Shared Folder.exe
<Program Files>\KaZaA\KaZaA.exe
<Program> Files>\Kmd\Kmd.exe
<Program Files>\Limewire\Limewire.exe

and creates the file \Autorun.inf. This file can be deleted.

W32/VB-CAI also copies itself to the startup folder, creating an 
entry under
<Startup>\startupFolder.com.

The following registry entry is created to run config_.com on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Explorer
<Windows>\config_.com





Name   Troj/Danmec-S

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Allows others to access the computer

Aliases  
    * Win32/Spy.Gepost
    * W32.Mytob@mm

Prevalence (1-5) 2

Description
Troj/Danmec-S is a backdoor Trojan for the Windows platform.

The Trojan provides functionality to a remote attacker including the 
ability to send emails, terminate security processes and modify the 
system HOSTS file.





Name   Troj/QQRob-QX

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Steals information
    * Records keystrokes
    * Installs itself in the Registry

Aliases  
    * Trojan-PSW.Win32.QQRob.0708
    * Win32/PSW.QQRob.NAC

Prevalence (1-5) 2

Description
Troj/QQRob-RX is a Trojan for the Windows platform.

Troj/QQRob-RX steals passwords and may attempt to disable security 
applications.

Troj/QQRob-RX includes functionality to access the internet and 
communicate
with a remote server via HTTP.

Advanced
Troj/QQRob-RX is a Trojan for the Windows platform.

Troj/QQRob-RX steals passwords and may attempt to disable security 
applications.

Troj/QQRob-RX includes functionality to access the internet and 
communicate
with a remote server via HTTP.

When first run Troj/QQRob-RX copies itself to <System>\NTdHcP.exe and 
creates
the file <Windows>\Deleteme.bat.

The following registry entry is created to run NTdHcP.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NTdhcp
<System>\NTdhcp.exe





Name   Troj/SrchSpy-C

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Steals information
    * Installs itself in the Registry

Aliases  
    * Trojan-Spy.Win32.Small.ez

Prevalence (1-5) 2

Description
Troj/SrchSpy-C is a Trojan for the Windows platform.

Troj/SrchSpy-C monitors Internet Explorer activity, and may retrieve 
information about browsing habits as well as inspecting and modifying 
search queries.

Advanced
Troj/SrchSpy-C is a Trojan for the Windows platform.

Troj/SrchSpy-C monitors Internet Explorer activity, and may retrieve 
information about browsing habits as well as inspecting and modifying 
search queries.

When first run, Troj/SrchSpy-C creates the following files:

<System>\IEFilter.dll
<System>\Service.exe

On NT based systems, Service.exe is registered as a service with a 
display name of Service, creating registry entries under the following:

HKLM\SYSTEM\CurrentControlSet\Services\Service\

The following registry entry is created to run code exported by the 
Trojan IEFilter.dll:

HKCR\CLSID\(3DCE4CF1-0504-402C-9860-ADCADE4B32C1)\InprocServer32
<System>\IEFilter.dll

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ 
ShellServiceObjectDelayLoad
IEFilter
(3DCE4CF1-0504-402C-9860-ADCADE4B32C1)

Registry entries are also created under:

HKLM\SOFTWARE\Microsoft\Filter\





Name   W32/Sdbot-CCR

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Aliases  
    * Backdoor.Win32.SdBot.yx
    * W32/Sdbot.worm.gen.z

Prevalence (1-5) 2

Description
W32/Sdbot-CCR is a worm and IRC backdoor Trojan for the Windows 
platform.

W32/Sdbot-CCR spreads to other network computers by exploiting common 
buffer
overflow vulnerabilities, including: RPC-DCOM (MS04-012), PNP 
(MS05-039) and
ASN.1 (MS04-007) and by copying itself to network shares protected by 
weak
passwords.

W32/Sdbot-CCR runs continuously in the background, providing a 
backdoor server
which allows a remote intruder to gain access and control over the 
computer via
IRC channels.

Advanced
W32/Sdbot-CCR is a worm and IRC backdoor Trojan for the Windows 
platform.

W32/Sdbot-CCR spreads to other network computers by exploiting common 
buffer
overflow vulnerabilities, including: RPC-DCOM (MS04-012), PNP 
(MS05-039) and
ASN.1 (MS04-007) and by copying itself to network shares protected by 
weak
passwords.

W32/Sdbot-CCR runs continuously in the background, providing a 
backdoor server
which allows a remote intruder to gain access and control over the 
computer via
IRC channels.

When first run W32/Sdbot-CCR copies itself to <Windows>\Mscfg.exe.

The following registry entries are created to run Mscfg.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Ms System Config
Mscfg.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Ms System Config
Mscfg.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
Ms System Config
Mscfg.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Ms System Config
Mscfg.exe

W32/Sdbot-CCR sets the following registry entries, disabling the 
automatic
startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4

Note: disabling autostart for the SharedAccess service deactivates the
Microsoft Internet Connection Firewall (ICF).

Registry entries are set as follows:

HKCU\SYSTEM\CurrentControlSet\Control\Lsa
Ms System Config
Mscfg.exe

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
Ms System Config
Mscfg.exe

HKCU\Software\Microsoft\OLE
Ms System Config
Mscfg.exe

HKLM\SOFTWARE\Microsoft\Ole
Ms System Config
Mscfg.exe

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1

 
--- MultiMail/Win32 v0.43
 * Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)