Fidonet echomail

Tillbaka till svenska Fidonet
English Information Debug
TRAPDOOR 0/19
TREK 0/755
TUB 0/290
UFO 0/40
UNIX 0/1316
USA_EURLINK 0/102
USR_MODEMS 0/1
VATICAN 0/2740
VIETNAM_VETS 0/14
VIRUS 0/378
VIRUS_INFO 0/201
VISUAL_BASIC 0/473
WHITEHOUSE 0/5187
WIN2000 0/101
WIN32 0/30
WIN95 0/4288
WIN95_OLD1 0/70272
WINDOWS 0/1517
WWB_SYSOP 0/419
WWB_TECH 0/810
ZCC-PUBLIC 0/1
ZEC 4

4DOS 0/134
ABORTION 0/7
ALASKA_CHAT 0/506
ALLFIX_FILE 0/1313
ALLFIX_FILE_OLD1 0/7997
ALT_DOS 0/152
AMATEUR_RADIO 0/1039
AMIGASALE 0/14
AMIGA 0/331
AMIGA_INT 0/1
AMIGA_PROG 0/20
AMIGA_SYSOP 0/26
ANIME 0/15
ARGUS 0/924
ASCII_ART 0/340
ASIAN_LINK 0/651
ASTRONOMY 0/417
AUDIO 0/92
AUTOMOBILE_RACING 0/105
BABYLON5 0/17862
BAG 135
BATPOWER 0/361
BBBS.ENGLISH 0/382
BBSLAW 0/109
BBS_ADS 0/5290
BBS_INTERNET 0/507
BIBLE 0/3563
BINKD 0/1119
BINKLEY 0/215
BLUEWAVE 0/2173
CABLE_MODEMS 0/25
CBM 0/46
CDRECORD 0/66
CDROM 0/20
CLASSIC_COMPUTER 0/378
COMICS 0/15
CONSPRCY 0/899
COOKING 32896
COOKING_OLD1 0/24719
COOKING_OLD2 0/40862
COOKING_OLD3 0/37489
COOKING_OLD4 0/35496
COOKING_OLD5 9370
C_ECHO 0/189
C_PLUSPLUS 0/31
DIRTY_DOZEN 0/201
DOORGAMES 0/2056
DOS_INTERNET 0/196
duplikat 6002
ECHOLIST 0/18295
EC_SUPPORT 0/318
ELECTRONICS 0/359
ELEKTRONIK.GER 1534
ENET.LINGUISTIC 0/13
ENET.POLITICS 0/4
ENET.SOFT 0/11701
ENET.SYSOP 33903
ENET.TALKS 0/32
ENGLISH_TUTOR 0/2000
EVOLUTION 0/1335
FDECHO 0/217
FDN_ANNOUNCE 0/7068
FIDONEWS 24125
FIDONEWS_OLD1 0/49742
FIDONEWS_OLD2 0/35949
FIDONEWS_OLD3 0/30874
FIDONEWS_OLD4 0/37224
FIDO_SYSOP 12852
FIDO_UTIL 0/180
FILEFIND 0/209
FILEGATE 0/212
FILM 0/18
FNEWS_PUBLISH 4408
FN_SYSOP 41678
FN_SYSOP_OLD1 71952
FTP_FIDO 0/2
FTSC_PUBLIC 0/13599
FUNNY 0/4886
GENEALOGY.EUR 0/71
GET_INFO 105
GOLDED 0/408
HAM 0/16070
HOLYSMOKE 0/6791
HOT_SITES 0/1
HTMLEDIT 0/71
HUB203 466
HUB_100 264
HUB_400 39
HUMOR 0/29
IC 0/2851
INTERNET 0/424
INTERUSER 0/3
IP_CONNECT 719
JAMNNTPD 0/233
JAMTLAND 0/47
KATTY_KORNER 0/41
LAN 0/16
LINUX-USER 0/19
LINUXHELP 0/1155
LINUX 0/22092
LINUX_BBS 0/957
mail 18.68
mail_fore_ok 249
MENSA 0/341
MODERATOR 0/102
MONTE 0/992
MOSCOW_OKLAHOMA 0/1245
MUFFIN 0/783
MUSIC 0/321
N203_STAT 926
N203_SYSCHAT 313
NET203 321
NET204 69
NET_DEV 0/10
NORD.ADMIN 0/101
NORD.CHAT 0/2572
NORD.FIDONET 189
NORD.HARDWARE 0/28
NORD.KULTUR 0/114
NORD.PROG 0/32
NORD.SOFTWARE 0/88
NORD.TEKNIK 0/58
NORD 0/453
OCCULT_CHAT 0/93
OS2BBS 0/787
OS2DOSBBS 0/580
OS2HW 0/42
OS2INET 0/37
OS2LAN 0/134
OS2PROG 0/36
OS2REXX 0/113
OS2USER-L 207
OS2 0/4786
OSDEBATE 0/18996
PASCAL 0/490
PERL 0/457
PHP 0/45
POINTS 0/405
POLITICS 0/29554
POL_INC 0/14731
PSION 103
R20_ADMIN 1121
R20_AMATORRADIO 0/2
R20_BEST_OF_FIDONET 13
R20_CHAT 0/893
R20_DEPP 0/3
R20_DEV 399
R20_ECHO2 1379
R20_ECHOPRES 0/35
R20_ESTAT 0/719
R20_FIDONETPROG...
...RAM.MYPOINT 0/2
R20_FIDONETPROGRAM 0/22
R20_FIDONET 0/248
R20_FILEFIND 0/24
R20_FILEFOUND 0/22
R20_HIFI 0/3
R20_INFO2 3218
R20_INTERNET 0/12940
R20_INTRESSE 0/60
R20_INTR_KOM 0/99
R20_KANDIDAT.CHAT 42
R20_KANDIDAT 28
R20_KOM_DEV 112
R20_KONTROLL 0/13270
R20_KORSET 0/18
R20_LOKALTRAFIK 0/24
R20_MODERATOR 0/1852
R20_NC 76
R20_NET200 245
R20_NETWORK.OTH...
...ERNETS 0/13
R20_OPERATIVSYS...
...TEM.LINUX 0/44
R20_PROGRAMVAROR 0/1
R20_REC2NEC 534
R20_SFOSM 0/340
R20_SF 0/108
R20_SPRAK.ENGLISH 0/1
R20_SQUISH 107
R20_TEST 2
R20_WORST_OF_FIDONET 12
RAR 0/9
RA_MULTI 106
RA_UTIL 0/162
REGCON.EUR 0/2056
REGCON 0/13
SCIENCE 0/1206
SF 0/239
SHAREWARE_SUPPORT 0/5146
SHAREWRE 0/14
SIMPSONS 0/169
STATS_OLD1 0/2539.065
STATS_OLD2 0/2530
STATS_OLD3 0/2395.095
STATS_OLD4 0/1692.25
SURVIVOR 0/495
SYSOPS_CORNER 0/3
SYSOP 0/84
TAGLINES 0/112
TEAMOS2 0/4530
TECH 0/2617
TEST.444 0/105
Möte VIRUS, 378 texter
Text 205, 1603 rader
Skriven 2006-08-12 18:15:00 av KURT WISMER (1:123/140)
Ärende: News, August 12 2006
============================
[cut-n-paste from sophos.com]

Name   Troj/Agent-CST

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Steals information
    * Installs itself in the Registry

Aliases  
    * BackDoor-CVT
    * TROJ_AGENT.CST

Prevalence (1-5) 2

Description
Troj/Agent-CST is a Trojan for the Windows platform.

Advanced
Troj/Agent-CST is a Trojan for the Windows platform.

Troj/Agent-CST is installed to the Windows system folder as 
win???32.dll where ? is a random character a-z.

The following registry entries are created to run code exported by 
Troj/Agent-CST on startup:

HKLM\SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\Winlogon\Notify\win???32
DllName
win???32.dll

HKLM\SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\Winlogon\Notify\win???32
Impersonate
0

HKLM\SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\Winlogon\Notify\win???32
Startup
EvtStartup

Registry entries are created under:

HKCR\MezziaCodec.Chl\CLSID
HKLM\SOFTWARE\Microsoft\MSSMGR





Name   Troj/DwnLdr-DPC

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet

Aliases  
    * Trojan.Win32.VB.arm

Prevalence (1-5) 2

Description
Troj/DwnLdr-DPC is a downloader Trojan for the Windows platform.

Advanced
Troj/DwnLdr-DPC is a downloader Trojan for the Windows platform.

When run Troj/DwnLdr-DPC copies itself to <System>\mschkdsk.ex as a 
hidden, system file.

Troj/DwnLdr-DPC includes functionality to:
- download code from the internet
- change Internet Explorer settings

Troj/DwnLdr-DPC also attempts to create or change registry entries 
under:

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\

The following registry entry is set:

HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Current
(default)
<Windows>\Media\start.wav





Name   Troj/Goldun-DS

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Steals credit card details
    * Steals information
    * Installs itself in the Registry

Aliases  
    * Trojan-Spy.Win32.Goldun.lm

Prevalence (1-5) 2

Description
Troj/Goldun-DS is a Trojan for the Windows platform.

Troj/Goldun-DS monitors browser activity in an attempt to steal 
passwords when users browse to certain websites, including 
www.e-gold.com. The Trojan may attempt to modify browser settings in 
order to force users to re-type passwords.

Advanced
Troj/Goldun-DS is a Trojan for the Windows platform.

Troj/Goldun-DS monitors browser activity in an attempt to steal 
passwords when users browse to certain websites, including 
www.e-gold.com. The Trojan may attempt to modify browser settings in 
order to force users to re-type passwords.

The file vmmdiag3.exe can be created in order to run the Trojan - 
this file should be deleted. The following registry entry is created 
in order to run the Trojan automatically on login:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe vmmdiag32.exe

(this is Explorer.exe by default)





Name   W32/Brontok-BG

Type  
    * Worm

How it spreads  
    * Email attachments

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Sends itself to email addresses found on the infected computer
    * Drops more malware
    * Forges the sender's email address
    * Uses its own emailing engine
    * Installs itself in the Registry
    * Leaves non-infected files on computer

Aliases  
    * Email-Worm.Win32.Brontok.o
    * W32/Rontokbro.gen@MM
    * Win32/Pazetus.C
    * W32.Rontokbro@mm

Prevalence (1-5) 2

Description
W32/Brontok-BG is a mass-mailing worm for the Windows platform.

W32/Brontok-BG sends itself to email addresses found on the infected 
computer.

Emails sent by the worm have the following characteristics:

If the recipient's address is Indonesian:

Subject: Foto Liburanku di Bali

Message text:

Halo Sobat,
Ini fotoku saat liburan di Bali.
Semoga kamu jadi ingat aku terus.
Terima kasih,

For all other addresses:

Subject: My Photo on Paris

Message text:

This photo was taken from my vacation on Paris, last week.
Wishing you always remember me.
Regards,

Attachment name: Picture.zip

The zip file contains Picture.bmp and View-Picture.bat. 
View-Picture.bat runs Picture.bmp.

Picture.bmp is an executable which attempts to download and execute a 
copy of the worm from a preconfigured website.

Advanced
W32/Brontok-BG is a mass-mailing worm for the Windows platform.

W32/Brontok-BG sends itself to email addresses found on the infected 
computer.

Emails sent by the worm have the following characteristics:

If the recipient's address is Indonesian:

Subject: Foto Liburanku di Bali

Message text:

Halo Sobat,
Ini fotoku saat liburan di Bali.
Semoga kamu jadi ingat aku terus.
Terima kasih,

For all other addresses:

Subject: My Photo on Paris

Message text:

This photo was taken from my vacation on Paris, last week.
Wishing you always remember me.
Regards,

Attachment name: Picture.zip

The zip file contains Picture.bmp and View-Picture.bat. 
View-Picture.bat runs Picture.bmp.

Picture.bmp is an executable which attempts to download and execute a 
copy of the worm from a preconfigured website.

When first run W32/Brontok-BG copies itself to:

<User>\Local Settings\Application Data\dv<random>\yesbron.com
<User>\Local Settings\Application Data\jalak<random>.com
<Windows folder>\_default<random>.pif
<Windows folder>\j<random>.exe
<Windows folder>\o<random>.exe
<Windows folder>\sa<random>\ib<random>.exe
<Windows system folder>\c<random>.com
<Windows system folder>\n<random>\b<random>.exe
<Windows system folder>\n<random>\csrss.exe
<Windows system folder>\n<random>\lsass.exe
<Windows system folder>\n<random>\services.exe
<Windows system folder>\n<random>\smss.exe
<Windows system folder>\n<random>\sv<random>.exe
<Windows system folder>\n<random>\winlogon.exe

where <random> is a sequence of randomly generated numbers.

and creates the following files:

Baca Bro !!!.txt
<Windows folder>\Tasks\At1.job
<Windows folder>\Tasks\At2.job
<Windows system folder>\n5817\c.bron.tok.txt

These files can be deleted.

The .job files each contain a scheduled task, instructing Windows to 
execute the installed copies of the worm once per day.

W32/Brontok-BG may install a new version of the file <Windows system 
folder>\msvbvm60.dll.

The following registry entries are created to run yesbron.com, 
_default<random>.pif, j<random>.exe and sv<random>.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run
<random characters>
<User>\Local Settings\Application Data\dv<random>\yesbron.com

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run
<random characters>
<Windows folder>\_default<random>.pif

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
<random characters>
<Windows system folder>\<random>\sv<random>.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
<random characters>
<Windows folder>\<random>.exe

The following registry entries are changed to run j<random>.exe and 
o<random>.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe "<Windows folder>\<random>.exe"

(the default value for this registry entry is "Explorer.exe" which 
causes the Microsoft file <Windows folder>\Explorer.exe to be run on 
startup).

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<Windows system folder>\userinit.exe,<Windows folder>\<random>.exe

(the default value for this registry entry is "<Windows 
folder>\System32\userinit.exe,").

The following registry entry is set, disabling the registry editor 
(regedit):

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1

Registry entries are set as follows:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0

W32/Brontok-BG also overwrites the HOSTS file with the following 
mappings:

127.0.0.19 mcafee.com
127.0.0.19 www.mcafee.com
127.0.0.19 mcafee.net
127.0.0.19 www.mcafee.net
127.0.0.19 mcafee.org
127.0.0.19 www.mcafee.org
127.0.0.19 mcafeesecurity.com
127.0.0.19 www.mcafeesecurity.com
127.0.0.19 mcafeesecurity.net
127.0.0.19 www.mcafeesecurity.net
127.0.0.19 mcafeesecurity.org
127.0.0.19 www.mcafeesecurity.org
127.0.0.19 mcafeeb2b.com
127.0.0.19 www.mcafeeb2b.com
127.0.0.19 mcafeeb2b.net
127.0.0.19 www.mcafeeb2b.net
127.0.0.19 mcafeeb2b.org
127.0.0.19 www.mcafeeb2b.org
127.0.0.19 nai.com
127.0.0.19 www.nai.com
127.0.0.19 nai.net
127.0.0.19 www.nai.net
127.0.0.19 nai.org
127.0.0.19 www.nai.org
127.0.0.19 vil.nai.com
127.0.0.19 www.vil.nai.com
127.0.0.19 vil.nai.net
127.0.0.19 www.vil.nai.net
127.0.0.19 vil.nai.org
127.0.0.19 www.vil.nai.org
127.0.0.19 grisoft.com
127.0.0.19 www.grisoft.com
127.0.0.19 grisoft.net
127.0.0.19 www.grisoft.net
127.0.0.19 grisoft.org
127.0.0.19 www.grisoft.org
127.0.0.19 kaspersky-labs.com
127.0.0.19 www.kaspersky-labs.com
127.0.0.19 kaspersky-labs.net
127.0.0.19 www.kaspersky-labs.net
127.0.0.19 kaspersky-labs.org
127.0.0.19 www.kaspersky-labs.org
127.0.0.19 kaspersky.com
127.0.0.19 www.kaspersky.com
127.0.0.19 kaspersky.net
127.0.0.19 www.kaspersky.net
127.0.0.19 kaspersky.org
127.0.0.19 www.kaspersky.org
127.0.0.19 downloads1.kaspersky-labs.com
127.0.0.19 www.downloads1.kaspersky-labs.com
127.0.0.19 downloads1.kaspersky-labs.net
127.0.0.19 www.downloads1.kaspersky-labs.net
127.0.0.19 downloads1.kaspersky-labs.org
127.0.0.19 www.downloads1.kaspersky-labs.org
127.0.0.19 downloads2.kaspersky-labs.com
127.0.0.19 www.downloads2.kaspersky-labs.com
127.0.0.19 downloads2.kaspersky-labs.net
127.0.0.19 www.downloads2.kaspersky-labs.net
127.0.0.19 downloads2.kaspersky-labs.org
127.0.0.19 www.downloads2.kaspersky-labs.org
127.0.0.19 downloads3.kaspersky-labs.com
127.0.0.19 www.downloads3.kaspersky-labs.com
127.0.0.19 downloads3.kaspersky-labs.net
127.0.0.19 www.downloads3.kaspersky-labs.net
127.0.0.19 downloads3.kaspersky-labs.org
127.0.0.19 www.downloads3.kaspersky-labs.org
127.0.0.19 downloads4.kaspersky-labs.com
127.0.0.19 www.downloads4.kaspersky-labs.com
127.0.0.19 downloads4.kaspersky-labs.net
127.0.0.19 www.downloads4.kaspersky-labs.net
127.0.0.19 downloads4.kaspersky-labs.org
127.0.0.19 www.downloads4.kaspersky-labs.org
127.0.0.19 download.mcafee.com
127.0.0.19 www.download.mcafee.com
127.0.0.19 download.mcafee.net
127.0.0.19 www.download.mcafee.net
127.0.0.19 download.mcafee.org
127.0.0.19 www.download.mcafee.org
127.0.0.19 norton.com
127.0.0.19 www.norton.com
127.0.0.19 norton.net
127.0.0.19 www.norton.net
127.0.0.19 norton.org
127.0.0.19 www.norton.org
127.0.0.19 symantec.com
127.0.0.19 www.symantec.com
127.0.0.19 symantec.net
127.0.0.19 www.symantec.net
127.0.0.19 symantec.org
127.0.0.19 www.symantec.org
127.0.0.19 liveupdate.symantecliveupdate.com
127.0.0.19 www.liveupdate.symantecliveupdate.com
127.0.0.19 liveupdate.symantecliveupdate.net
127.0.0.19 www.liveupdate.symantecliveupdate.net
127.0.0.19 liveupdate.symantecliveupdate.org
127.0.0.19 www.liveupdate.symantecliveupdate.org
127.0.0.19 liveupdate.symantec.com
127.0.0.19 www.liveupdate.symantec.com
127.0.0.19 liveupdate.symantec.net
127.0.0.19 www.liveupdate.symantec.net
127.0.0.19 liveupdate.symantec.org
127.0.0.19 www.liveupdate.symantec.org
127.0.0.19 update.symantec.com
127.0.0.19 www.update.symantec.com
127.0.0.19 update.symantec.net
127.0.0.19 www.update.symantec.net
127.0.0.19 update.symantec.org
127.0.0.19 www.update.symantec.org
127.0.0.19 securityresponse.symantec.com
127.0.0.19 www.securityresponse.symantec.com
127.0.0.19 securityresponse.symantec.net
127.0.0.19 www.securityresponse.symantec.net
127.0.0.19 securityresponse.symantec.org
127.0.0.19 www.securityresponse.symantec.org
127.0.0.19 sarc.com
127.0.0.19 www.sarc.com
127.0.0.19 sarc.net
127.0.0.19 www.sarc.net
127.0.0.19 sarc.org
127.0.0.19 www.sarc.org
127.0.0.19 vaksin.com
127.0.0.19 www.vaksin.com
127.0.0.19 vaksin.net
127.0.0.19 www.vaksin.net
127.0.0.19 vaksin.org
127.0.0.19 www.vaksin.org
127.0.0.19 forum.vaksin.com
127.0.0.19 www.forum.vaksin.com
127.0.0.19 forum.vaksin.net
127.0.0.19 www.forum.vaksin.net
127.0.0.19 forum.vaksin.org
127.0.0.19 www.forum.vaksin.org
127.0.0.19 norman.com
127.0.0.19 www.norman.com
127.0.0.19 norman.net
127.0.0.19 www.norman.net
127.0.0.19 norman.org
127.0.0.19 www.norman.org
127.0.0.19 trendmicro.com
127.0.0.19 www.trendmicro.com
127.0.0.19 trendmicro.net
127.0.0.19 www.trendmicro.net
127.0.0.19 trendmicro.org
127.0.0.19 www.trendmicro.org
127.0.0.19 trendmicro-europe.com
127.0.0.19 www.trendmicro-europe.com
127.0.0.19 trendmicro-europe.net
127.0.0.19 www.trendmicro-europe.net
127.0.0.19 trendmicro-europe.org
127.0.0.19 www.trendmicro-europe.org
127.0.0.19 ae.trendmicro-europe.com
127.0.0.19 www.ae.trendmicro-europe.com
127.0.0.19 ae.trendmicro-europe.net
127.0.0.19 www.ae.trendmicro-europe.net
127.0.0.19 ae.trendmicro-europe.org
127.0.0.19 www.ae.trendmicro-europe.org
127.0.0.19 it.trendmicro-europe.com
127.0.0.19 www.it.trendmicro-europe.com
127.0.0.19 it.trendmicro-europe.net
127.0.0.19 www.it.trendmicro-europe.net
127.0.0.19 it.trendmicro-europe.org
127.0.0.19 www.it.trendmicro-europe.org
127.0.0.19 secunia.com
127.0.0.19 www.secunia.com
127.0.0.19 secunia.net
127.0.0.19 www.secunia.net
127.0.0.19 secunia.org
127.0.0.19 www.secunia.org
127.0.0.19 winantivirus.com
127.0.0.19 www.winantivirus.com
127.0.0.19 winantivirus.net
127.0.0.19 www.winantivirus.net
127.0.0.19 winantivirus.org
127.0.0.19 www.winantivirus.org
127.0.0.19 pandasoftware.com
127.0.0.19 www.pandasoftware.com
127.0.0.19 pandasoftware.net
127.0.0.19 www.pandasoftware.net
127.0.0.19 pandasoftware.org
127.0.0.19 www.pandasoftware.org
127.0.0.19 esafe.com
127.0.0.19 www.esafe.com
127.0.0.19 esafe.net
127.0.0.19 www.esafe.net
127.0.0.19 esafe.org
127.0.0.19 www.esafe.org
127.0.0.19 f-secure.com
127.0.0.19 www.f-secure.com
127.0.0.19 f-secure.net
127.0.0.19 www.f-secure.net
127.0.0.19 f-secure.org
127.0.0.19 www.f-secure.org
127.0.0.19 europe.f-secure.com
127.0.0.19 www.europe.f-secure.com
127.0.0.19 europe.f-secure.net
127.0.0.19 www.europe.f-secure.net
127.0.0.19 europe.f-secure.org
127.0.0.19 www.europe.f-secure.org
127.0.0.19 bhs.com
127.0.0.19 www.bhs.com
127.0.0.19 bhs.net
127.0.0.19 www.bhs.net
127.0.0.19 bhs.org
127.0.0.19 www.bhs.org
127.0.0.19 datafellows.com
127.0.0.19 www.datafellows.com
127.0.0.19 datafellows.net
127.0.0.19 www.datafellows.net
127.0.0.19 datafellows.org
127.0.0.19 www.datafellows.org
127.0.0.19 cheyenne.com
127.0.0.19 www.cheyenne.com
127.0.0.19 cheyenne.net
127.0.0.19 www.cheyenne.net
127.0.0.19 cheyenne.org
127.0.0.19 www.cheyenne.org
127.0.0.19 ontrack.com
127.0.0.19 www.ontrack.com
127.0.0.19 ontrack.net
127.0.0.19 www.ontrack.net
127.0.0.19 ontrack.org
127.0.0.19 www.ontrack.org
127.0.0.19 sands.com
127.0.0.19 www.sands.com
127.0.0.19 sands.net
127.0.0.19 www.sands.net
127.0.0.19 sands.org
127.0.0.19 www.sands.org
127.0.0.19 sophos.com
127.0.0.19 www.sophos.com
127.0.0.19 sophos.net
127.0.0.19 www.sophos.net
127.0.0.19 sophos.org
127.0.0.19 www.sophos.org
127.0.0.19 icubed.com
127.0.0.19 www.icubed.com
127.0.0.19 icubed.net
127.0.0.19 www.icubed.net
127.0.0.19 icubed.org
127.0.0.19 www.icubed.org
127.0.0.19 perantivirus.com
127.0.0.19 www.perantivirus.com
127.0.0.19 perantivirus.net
127.0.0.19 www.perantivirus.net
127.0.0.19 perantivirus.org
127.0.0.19 www.perantivirus.org
127.0.0.19 castlecops.com
127.0.0.19 www.castlecops.com
127.0.0.19 castlecops.net
127.0.0.19 www.castlecops.net
127.0.0.19 castlecops.org
127.0.0.19 www.castlecops.org
127.0.0.19 virustotal.com
127.0.0.19 www.virustotal.com
127.0.0.19 virustotal.net
127.0.0.19 www.virustotal.net
127.0.0.19 virustotal.org
127.0.0.19 www.virustotal.org
127.0.0.19 free-av.com
127.0.0.19 www.free-av.com
127.0.0.19 free-av.net
127.0.0.19 www.free-av.net
127.0.0.19 free-av.org
127.0.0.19 www.free-av.org
127.0.0.19 antivirus.com
127.0.0.19 www.antivirus.com
127.0.0.19 antivirus.net
127.0.0.19 www.antivirus.net
127.0.0.19 antivirus.org
127.0.0.19 www.antivirus.org
127.0.0.19 anti-virus.com
127.0.0.19 www.anti-virus.com
127.0.0.19 anti-virus.net
127.0.0.19 www.anti-virus.net
127.0.0.19 anti-virus.org
127.0.0.19 www.anti-virus.org
127.0.0.19 ca.com
127.0.0.19 www.ca.com
127.0.0.19 ca.net
127.0.0.19 www.ca.net
127.0.0.19 ca.org
127.0.0.19 www.ca.org
127.0.0.19 fajarweb.com
127.0.0.19 www.fajarweb.com
127.0.0.19 fajarweb.net
127.0.0.19 www.fajarweb.net
127.0.0.19 fajarweb.org
127.0.0.19 www.fajarweb.org
127.0.0.19 jasakom.com
127.0.0.19 www.jasakom.com
127.0.0.19 jasakom.net
127.0.0.19 www.jasakom.net
127.0.0.19 jasakom.org
127.0.0.19 www.jasakom.org
127.0.0.19 backup.grisoft.com
127.0.0.19 www.backup.grisoft.com
127.0.0.19 backup.grisoft.net
127.0.0.19 www.backup.grisoft.net
127.0.0.19 backup.grisoft.org
127.0.0.19 www.backup.grisoft.org
127.0.0.19 infokomputer.com
127.0.0.19 www.infokomputer.com
127.0.0.19 infokomputer.net
127.0.0.19 www.infokomputer.net
127.0.0.19 infokomputer.org
127.0.0.19 www.infokomputer.org
127.0.0.19 playboy.com
127.0.0.19 www.playboy.com
127.0.0.19 playboy.net
127.0.0.19 www.playboy.net
127.0.0.19 playboy.org
127.0.0.19 www.playboy.org
127.0.0.19 sex-mission.com
127.0.0.19 www.sex-mission.com
127.0.0.19 sex-mission.net
127.0.0.19 www.sex-mission.net
127.0.0.19 sex-mission.org
127.0.0.19 www.sex-mission.org
127.0.0.19 pornstargals.com
127.0.0.19 www.pornstargals.com
127.0.0.19 pornstargals.net
127.0.0.19 www.pornstargals.net
127.0.0.19 pornstargals.org
127.0.0.19 www.pornstargals.org
127.0.0.19 kaskus.com
127.0.0.19 www.kaskus.com
127.0.0.19 kaskus.net
127.0.0.19 www.kaskus.net
127.0.0.19 kaskus.org
127.0.0.19 www.kaskus.org
127.0.0.19 17tahun.com
127.0.0.19 www.17tahun.com
127.0.0.19 17tahun.net
127.0.0.19 www.17tahun.net
127.0.0.19 17tahun.org
127.0.0.19 www.17tahun.org





Name   W32/Sdbot-CNH

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Downloads code from the internet
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Aliases  
    * Backdoor.Win32.Aimbot.en

Prevalence (1-5) 2

Description
W32/Sdbot-CNH is a worm and IRC backdoor for the Windows platform.

W32/Sdbot-CNH runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

W32/Sdbot-CNH includes functionality to silently download, install 
and run new software, including updates of its software.

Advanced
W32/Sdbot-CNH is a worm and IRC backdoor for the Windows platform.

W32/Sdbot-CNH runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

W32/Sdbot-CNH includes functionality to silently download, install 
and run new software, including updates of its software.

W32/Sdbot-CNH spreads to other network computers by exploiting common 
buffer overflow vulnerabilities, including: LSASS (MS04-011), 
RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812), PNP (MS05-039) 
and ASN.1 (MS04-007) and by copying itself to network shares 
protected by weak passwords.

When first run W32/Sdbot-CNH moves itself to <WINDOWS>\win64tyt.exe.

The file win64tyt.exe is registered as a new service named 
"Win32Export", with a display name of "Windows Updater" and a startup 
type of automatic, so that it is started automatically during system 
startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\Win32Export\

W32/Sdbot-CNH will set the following registry entries in an attempt 
to circumvent Microsoft Windows security measures:

HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusDisableNotify
1

HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusOverride
1

HKLM\SOFTWARE\Microsoft\Security Center
FirewallDisableNotify
1

HKLM\SOFTWARE\Microsoft\Security Center
FirewallOverride
1

HKLM\SOFTWARE\Microsoft\Security Center
UpdatesDisableNotify
1





Name   W32/Looked-F

Type  
    * Worm

How it spreads  
    * Infected files
    * Peer-to-peer

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet
    * Installs itself in the Registry

Aliases  
    * Worm.Win32.Viking.i
    * Win32/Viking.NAB
    * W32.Looked.P
    * PE_LOOKED.M

Prevalence (1-5) 2

Description
W32/Looked-F is a virus and backdoor for the Windows platform.

W32/Looked-F runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer.

W32/Looked-F attempts to copy itself to network shares and infect EXE 
files.

W32/Looked-F includes functionality to access the internet and 
communicate with a remote server via HTTP.

Advanced
W32/Looked-F is a virus and backdoor for the Windows platform.

W32/Looked-F runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer.

W32/Looked-F attempts to copy itself to network shares and infect EXE 
files.

W32/Looked-F includes functionality to access the internet and 
communicate with a remote server via HTTP.

When first run W32/Looked-F copies itself to <Windows>\rundl132.exe 
and creates the file vDll.dll.

The following registry entry is created to run rundl132.exe on startup:

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
load
<Windows>\rundl132.exe

Registry entries are created under:

HKLM\SOFTWARE\Soft\DownloadWWW\





Name   Troj/DelSpy-E

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Steals information
    * Uses its own emailing engine
    * Reduces system security
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
Troj/DelSpy-E is a Trojan for the Windows platform.

Troj/DelSpy-E may inject code into other processes and includes 
functionality to steal passwords and email the information it steals 
to a remote user. The Trojan may also include backdoor functionality, 
allowing a remote user to gain a command prompt on the compromised 
computer.

Advanced
Troj/DelSpy-E is a Trojan for the Windows platform.

Troj/DelSpy-E may inject code into other processes and includes 
functionality to steal passwords and email the information it steals 
to a remote user. The Trojan may also include backdoor functionality, 
allowing a remote user to gain a command prompt on the compromised 
computer.

When first run Troj/DelSpy-E copies itself to <System>\msjwer.exe and 
creates the following files:

<Windows>\msjwer.dll - also detected as Troj/DelSpy-E
<System>\msjwer.hts

The following registry entry is created to run msjwer.exe on startup:

HKLM\SOFTWARE\Microsoft\Active Setup\Installed 
Components\52ED14AE-AB22-2CCA-CD3A-1AA4221E022C)
StubPath
<System>\msjwer.exe

Troj/DelSpy-E sets the following registry entries, disabling the 
automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\srservice
Start
4

The following registry entry is set:

HKCU\Software\Adobe\GGZE
GGD
msjwer.hts

The file <System>\msjwer.hts is a text file which can safely be 
deleted after the above registry entry is removed.





Name   W32/Looked-G

Type  
    * Virus

How it spreads  
    * Network shares
    * Infected files

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Downloads code from the internet
    * Installs itself in the Registry
    * Leaves non-infected files on computer

Aliases  
    * Worm.Win32.Viking.r
    * W32/HLLP.Philis.ao
    * Win32/Viking.NAP
    * PE_LOOKED.AP

Prevalence (1-5) 2

Description
W32/Looked-G is a virus and backdoor for the Windows platform.

W32/Looked-G runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer.

W32/Looked-G attempts to copy itself to network shares and infect EXE 
files.

W32/Looked-G includes functionality to access the internet and 
communicate with a remote server via HTTP.

Advanced
W32/Looked-G is a virus and backdoor for the Windows platform.

W32/Looked-G runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer.

W32/Looked-G attempts to copy itself to network shares and infect EXE 
files.

W32/Looked-G includes functionality to access the internet and 
communicate with a remote server via HTTP.

When first run W32/Looked-G copies itself to <Windows>\rundl132.exe 
and creates the file \%CurrentFolder%\viDll.dll.

The following registry entry is created to run rundl132.exe on startup:

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
load
<Windows>\rundl132.exe

Registry entries are created under:

HKLM\SOFTWARE\Soft\DownloadWWW\

The virus may create files named "_desktop.ini" in folders it 
searches - these are harmless and can be deleted.





Name   W32/Bobandy-B

Type  
    * Worm

How it spreads  
    * Email attachments
    * Network shares
    * Peer-to-peer

Affected operating systems  
    * Windows

Side effects  
    * Sends itself to email addresses found on the infected computer
    * Installs itself in the Registry
    * Leaves non-infected files on computer

Prevalence (1-5) 2

Description
W32/Bobandy-B is a mass-mailing worm for the Windows platform.

Emails sent by W32/Bobandy-B have the following characteristics:

Subject line:

Registration Confirmation
Cek This
hello
RE:bla bla bla
RE:HeLLO GuYs

Message text:

hi please see this file
For security reasons attached file is password protected.
The password is 55132098

hey Indonesian porn
Tiara lestari pic's
For security reasons attached file is password protected.
The password is 55132098

free screen saver romance for you
Please Visit Our Web Site
For security reasons attached file is password protected.
The password is 55132098

please read again what i have written to you
For security reasons attached file is password protected.
The password is 55132098

thank's for you register, your acount details are attached
For security reasons attached file is password protected.
The password is 55132098

The attached file will take one of the following names:

MYpIC.zip
curriculum vittae.zip
USE_RAR_To_Extract.ace
ZIPPED.zip
FILEATTACH.bz2
Doc.gz
file.bz2
thisfile.gz
4TITTA'S Picture.jar

Advanced
W32/Bobandy-B is a mass-mailing worm for the Windows platform.

Emails sent by W32/Bobandy-B have the following characteristics:

Subject line:

Registration Confirmation
Cek This
hello
RE:bla bla bla
RE:HeLLO GuYs

Message text:

hi please see this file
For security reasons attached file is password protected.
The password is 55132098

hey Indonesian porn
Tiara lestari pic's
For security reasons attached file is password protected.
The password is 55132098

free screen saver romance for you
Please Visit Our Web Site
For security reasons attached file is password protected.
The password is 55132098

please read again what i have written to you
For security reasons attached file is password protected.
The password is 55132098

thank's for you register, your acount details are attached
For security reasons attached file is password protected.
The password is 55132098

The attached file will take one of the following names:

MYpIC.zip
curriculum vittae.zip
USE_RAR_To_Extract.ace
ZIPPED.zip
FILEATTACH.bz2
Doc.gz
file.bz2
thisfile.gz
4TITTA'S Picture.jar

When first run W32/Bobandy-B copies itself to:

<Startup>\sql.cmd
<User>\Templates\o<random digits>z\Tux<random characters>.exe
<User>\Templates\o<random digits>z\service.exe
<User>\Templates\o<random digits>z\winlogon.exe
<Windows>\Ti<random characters>ta.exe
<Windows>\m<random digits>\EmangEloh.exe
<Windows>\m<random digits>\Ja<random characters>bLay.com
<Windows>\m<random digits>\smss.exe
<Windows>\sa-<random digits>.exe
<System>\<random digits>l.exe
<System>\X<random digits>go\Z<random digits>cie.cmd
<Windows>\SoftwareDistribution\Download\Windows Vista setup
<Windows>\pchealth\UploadLB\Blink 182
<Windows>\ime\shared\Love Song
<Program Files>\Movie Maker\Shared\Gallery
<Windows>\Downloaded Program Files\RaHaslA
<Program Files>\Common Files\Microsoft Shared\Data DosenKu

and creates the following harmless files:

\[TheMoonlight].txt

W32/Bobandy-B creates the following registry entries:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
T
<Windows>\sa-<random digits>.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
TT4
<System>\<random digits>l.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
explorer.exe, <User>\Templates\o<random digits>z\Tux<random 
characters>.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
userinit.exe, <Windows>\m<random digits>\Ja<random characters>bLay.com

Registry entries are created under:

HKCU\Software\VB and VBA Program Settings\untukmu\version\
HKLM\SOFTWARE\Microsoft\TUX\Path\
HKLM\SOFTWARE\Microsoft\TUX\biang\

W32/Bobandy-B attempts to copy itself to the root folders of all 
mapped drives.

W32/Bobandy-B harvests email addresses from files on the infected 
computer.





Name   Troj/Bancos-ATA

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Steals credit card details
    * Steals information

Aliases  
    * Trojan-Spy.Win32.Bancos.to
    * Win32/Spy.Bancos.U

Prevalence (1-5) 2

Description
Troj/Bancos-ATA is a password-stealing Trojan for the Windows platform.

Troj/Bancos-ATA steals login information for certain online banking 
applications.

Advanced
Troj/Bancos-ATA is a password-stealing Trojan for the Windows platform.

Troj/Bancos-ATA steals login information for certain online banking 
applications.

When first run Troj/Bancos-ATA copies itself to 
<System>\tasklist32.exe.





Name   Troj/IRCBot-PF

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
Troj/IRCBot-PF is a Trojan for the Windows platform.

Troj/IRCBot-PF runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

Troj/IRCBot-PF includes functionality to access the internet and 
communicate with a remote server via HTTP.

Advanced
Troj/IRCBot-PF is a Trojan for the Windows platform.

Troj/IRCBot-PF runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

Troj/IRCBot-PF includes functionality to access the internet and 
communicate with a remote server via HTTP.

When first run Troj/IRCBot-PF copies itself to <Windows 
folder>\lsass.exe.

The file lsass.exe is registered as a new system driver service named 
"sdk", with a display name of "Microsoft sdk core" and a startup type 
of automatic, so that it is started automatically during system 
startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\sdk\





Name   Troj/Dloadr-ALC

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet

Prevalence (1-5) 2

Description
Troj/Dloadr-ALC is an downloader Trojan for the Windows platform.

When installed, the Trojan includes functionality to connect to a 
remote address and download a file to <Windows>\au.exe. It then 
proceeds to execute the downloaded file.

The downloaded file was unavailable at the time of writing.





Name   W32/Sdbot-DTM

Type  
    * Spyware Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Steals information
    * Reduces system security
    * Records keystrokes
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities
    * Used in DOS attacks
    * Scans network for vulnerabilities
    * Scans network for open ports

Aliases  
    * Backdoor.Win32.SdBot.ato
    * W32/Sdbot.UFA

Prevalence (1-5) 2

Description
W32/Sdbot-DTM is a worm and IRC backdoor Trojan for the Windows 
platform.

W32/Sdbot-DTM spreads to other network computers via network shares 
and by exploiting common buffer overflow vulnerabilities, including 
ASN.1 (MS04-007).

W32/Sdbot-DTM runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

W32/Sdbot-DTM includes functionality to access the internet and 
communicate with a remote server via HTTP, to log keypresses, and to 
alter firewall security settings.

Advanced
W32/Sdbot-DTM is a worm and IRC backdoor Trojan for the Windows 
platform.

W32/Sdbot-DTM spreads to other network computers via network shares 
and by exploiting common buffer overflow vulnerabilities, including 
ASN.1 (MS04-007).

W32/Sdbot-DTM runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

W32/Sdbot-DTM includes functionality to access the internet and 
communicate with a remote server via HTTP, to log keypresses, and to 
alter firewall security settings.

When first run W32/Sdbot-DTM copies itself to <Windows>\lsass.exe.

The file lsass.exe is registered as a new system driver service named 
"sdk", with a display name of "Microsoft sdk core" and a startup type 
of automatic, so that it is started automatically during system 
startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\sdk\





Name   W32/Brontok-BH

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Installs itself in the Registry

Aliases  
    * Trojan.Win32.VB.aqn

Prevalence (1-5) 2

Description
W32/Brontok-BH is a worm for the Windows platform.

W32/Brontok-BH may disable file extensions, and create copies of 
itself with filenames matching any of the following extensions:

MP3
MP4
MPG
MPEG
AVI
DAT
WMV
4JPG
GIF
JPEG
PNG
ASX
WMA
MDB
XLS

Advanced
W32/Brontok-BH is a worm for the Windows platform.

W32/Brontok-BH may disable file extensions, and create copies of 
itself with filenames matching any of the following extensions:

MP3
MP4
MPG
MPEG
AVI
DAT
WMV
4JPG
GIF
JPEG
PNG
ASX
WMA
MDB
XLS

When first run W32/Brontok-BH copies itself to:

\4k51k4.exe
<Startup>\Empty.pif
<User>\Local Settings\Application Data\windows\csrss.exe
<User>\Local Settings\Application Data\windows\lsass.exe
<User>\Local Settings\Application Data\windows\services.exe
<User>\Local Settings\Application Data\windows\smss.exe
<User>\Local Settings\Application Data\windows\winlogon.exe
<Windows folder>\4k51k4.exe
<Windows system folder>\IExplorer.exe
<Windows system folder>\MrHelloween.scr
<Windows system folder>\shell.exe

and creates the file \Puisi.txt.

The following registry entries are created to run W32/Brontok-BH on 
startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
4k51k4
<Windows folder>\4k51k4.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Service<user>
<User>\Local Settings\Application Data\WINDOWS\SERVICES.EXE

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Logon<user>
<User>\Local Settings\Application Data\WINDOWS\CSRSS.EXE

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
System Monitoring
<User>\Local Settings\Application Data\WINDOWS\LSASS.EXE

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MSMSGS
<User>\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

The following registry entries are changed to run W32/Brontok-BH on 
startup:

HKCU\Control Panel\Desktop
SCRNSAVE.EXE
<Windows system folder>\MRHELL~1.SCR

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe "<Windows system folder>\IExplorer.exe"

(the default value for this registry entry is "Explorer.exe" which 
causes the Microsoft file <Windows folder>\Explorer.exe to be run on 
startup).

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<Windows system folder>\userinit.exe,<System>\IExplorer.exe

(the default value for this registry entry is "<Windows 
folder>\System32\userinit.exe,").

The following registry entries are set or modified, so that shell.exe 
is run when files with extensions of BAT, COM, EXE and PIF are 
opened/launched:

HKCR\lnkfile\shell\open\command
(default)
<Windows system folder>\shell.exe" "%1" %*

HKCR\batfile\shell\open\command
(default)
<Windows system folder>\shell.exe" "%1" %*

HKCR\comfile\shell\open\command
(default)
<Windows system folder>\shell.exe" "%1" %*

HKCR\exefile\shell\open\command
(default)
<Windows system folder>\shell.exe" "%1" %*

HKCR\piffile\shell\open\command
(default)
<Windows system folder>\shell.exe" "%1" %*

The following registry entries are set, disabling the registry editor 
(regedit), the Windows task manager (taskmgr), the command prompt and 
system restore:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableCMD
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
DisableTaskMgr
1

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
DisableRegistryTools
1

HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
DisableConfig
1

HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
DisableSR
1

Registry entries are set as follows:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions
1

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoFolderOptions
1

HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
LimitSystemRestoreCheckpointing
1

HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
DisableMSI
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug
Debugger
<Windows system folder>\Shell.exe

HKCR\exefile
(default)
File Folder





Name   W32/Virut-A

Type  
    * Virus

How it spreads  
    * Infected files

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer

Aliases  
    * W32/Virut.a
    * Virus [PE_VIRUT.A]

Prevalence (1-5) 2

Description
W32/Virut-A is a virus and IRC backdoor for the Windows platform.

W32/Virut-A will also attempt to connect to an IRC channel and thus 
serves as a backdoor with which a remote attacker may compromise the 
system.

Advanced
W32/Virut-A is a virus and IRC backdoor for the Windows platform.

When a file infected with W32/Virut-A is run, the virus will become 
resident in memory, and will attempt to infect any executable that is 
accessed by any process running on the system. W32/Virut-A will thus 
spread very quickly throughout the filesystem.

W32/Virut-A will also attempt to connect to an IRC channel and thus 
serves as a backdoor with which a remote attacker may compromise the 
system.

 
--- MultiMail/Win32 v0.43
 * Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)