Tillbaka till svenska Fidonet
English   Information   Debug  
TRAPDOOR   0/19
TREK   0/755
TUB   0/290
UFO   0/40
UNIX   0/1316
USA_EURLINK   0/102
USR_MODEMS   0/1
VATICAN   0/2740
VIETNAM_VETS   0/14
VIRUS   0/378
VIRUS_INFO   0/201
VISUAL_BASIC   0/473
WHITEHOUSE   0/5187
WIN2000   0/101
WIN32   0/30
WIN95   0/4289
WIN95_OLD1   0/70272
WINDOWS   0/1517
WWB_SYSOP   0/419
WWB_TECH   0/810
ZCC-PUBLIC   0/1
ZEC   4

 
4DOS   0/134
ABORTION   0/7
ALASKA_CHAT   0/506
ALLFIX_FILE   0/1313
ALLFIX_FILE_OLD1   0/7997
ALT_DOS   0/152
AMATEUR_RADIO   0/1039
AMIGASALE   0/14
AMIGA   0/331
AMIGA_INT   0/1
AMIGA_PROG   0/20
AMIGA_SYSOP   0/26
ANIME   0/15
ARGUS   0/924
ASCII_ART   0/340
ASIAN_LINK   0/651
ASTRONOMY   0/417
AUDIO   0/92
AUTOMOBILE_RACING   0/105
BABYLON5   0/17862
BAG   135
BATPOWER   0/361
BBBS.ENGLISH   0/382
BBSLAW   0/109
BBS_ADS   0/5290
BBS_INTERNET   0/507
BIBLE   0/3563
BINKD   0/1119
BINKLEY   0/215
BLUEWAVE   0/2173
CABLE_MODEMS   0/25
CBM   0/46
CDRECORD   0/66
CDROM   0/20
CLASSIC_COMPUTER   0/378
COMICS   0/15
CONSPRCY   0/899
COOKING   33421
COOKING_OLD1   0/24719
COOKING_OLD2   0/40862
COOKING_OLD3   0/37489
COOKING_OLD4   0/35496
COOKING_OLD5   9370
C_ECHO   0/189
C_PLUSPLUS   0/31
DIRTY_DOZEN   0/201
DOORGAMES   0/2065
DOS_INTERNET   0/196
duplikat   6002
ECHOLIST   0/18295
EC_SUPPORT   0/318
ELECTRONICS   0/359
ELEKTRONIK.GER   1534
ENET.LINGUISTIC   0/13
ENET.POLITICS   0/4
ENET.SOFT   0/11701
ENET.SYSOP   33945
ENET.TALKS   0/32
ENGLISH_TUTOR   0/2000
EVOLUTION   0/1335
FDECHO   0/217
FDN_ANNOUNCE   0/7068
FIDONEWS   24159
FIDONEWS_OLD1   0/49742
FIDONEWS_OLD2   0/35949
FIDONEWS_OLD3   0/30874
FIDONEWS_OLD4   0/37224
FIDO_SYSOP   12852
FIDO_UTIL   0/180
FILEFIND   0/209
FILEGATE   0/212
FILM   0/18
FNEWS_PUBLISH   4436
FN_SYSOP   41706
FN_SYSOP_OLD1   71952
FTP_FIDO   0/2
FTSC_PUBLIC   0/13613
FUNNY   0/4886
GENEALOGY.EUR   0/71
GET_INFO   105
GOLDED   0/408
HAM   0/16074
HOLYSMOKE   0/6791
HOT_SITES   0/1
HTMLEDIT   0/71
HUB203   466
HUB_100   264
HUB_400   39
HUMOR   0/29
IC   0/2851
INTERNET   0/424
INTERUSER   0/3
IP_CONNECT   719
JAMNNTPD   0/233
JAMTLAND   0/47
KATTY_KORNER   0/41
LAN   0/16
LINUX-USER   0/19
LINUXHELP   0/1155
LINUX   0/22112
LINUX_BBS   0/957
mail   18.68
mail_fore_ok   249
MENSA   0/341
MODERATOR   0/102
MONTE   0/992
MOSCOW_OKLAHOMA   0/1245
MUFFIN   0/783
MUSIC   0/321
N203_STAT   930
N203_SYSCHAT   313
NET203   321
NET204   69
NET_DEV   0/10
NORD.ADMIN   0/101
NORD.CHAT   0/2572
NORD.FIDONET   189
NORD.HARDWARE   0/28
NORD.KULTUR   0/114
NORD.PROG   0/32
NORD.SOFTWARE   0/88
NORD.TEKNIK   0/58
NORD   0/453
OCCULT_CHAT   0/93
OS2BBS   0/787
OS2DOSBBS   0/580
OS2HW   0/42
OS2INET   0/37
OS2LAN   0/134
OS2PROG   0/36
OS2REXX   0/113
OS2USER-L   207
OS2   0/4786
OSDEBATE   0/18996
PASCAL   0/490
PERL   0/457
PHP   0/45
POINTS   0/405
POLITICS   0/29554
POL_INC   0/14731
PSION   103
R20_ADMIN   1123
R20_AMATORRADIO   0/2
R20_BEST_OF_FIDONET   13
R20_CHAT   0/893
R20_DEPP   0/3
R20_DEV   399
R20_ECHO2   1379
R20_ECHOPRES   0/35
R20_ESTAT   0/719
R20_FIDONETPROG...
...RAM.MYPOINT
  0/2
R20_FIDONETPROGRAM   0/22
R20_FIDONET   0/248
R20_FILEFIND   0/24
R20_FILEFOUND   0/22
R20_HIFI   0/3
R20_INFO2   3249
R20_INTERNET   0/12940
R20_INTRESSE   0/60
R20_INTR_KOM   0/99
R20_KANDIDAT.CHAT   42
R20_KANDIDAT   28
R20_KOM_DEV   112
R20_KONTROLL   0/13300
R20_KORSET   0/18
R20_LOKALTRAFIK   0/24
R20_MODERATOR   0/1852
R20_NC   76
R20_NET200   245
R20_NETWORK.OTH...
...ERNETS
  0/13
R20_OPERATIVSYS...
...TEM.LINUX
  0/44
R20_PROGRAMVAROR   0/1
R20_REC2NEC   534
R20_SFOSM   0/341
R20_SF   0/108
R20_SPRAK.ENGLISH   0/1
R20_SQUISH   107
R20_TEST   2
R20_WORST_OF_FIDONET   12
RAR   0/9
RA_MULTI   106
RA_UTIL   0/162
REGCON.EUR   0/2056
REGCON   0/13
SCIENCE   0/1206
SF   0/239
SHAREWARE_SUPPORT   0/5146
SHAREWRE   0/14
SIMPSONS   0/169
STATS_OLD1   0/2539.065
STATS_OLD2   0/2530
STATS_OLD3   0/2395.095
STATS_OLD4   0/1692.25
SURVIVOR   0/495
SYSOPS_CORNER   0/3
SYSOP   0/84
TAGLINES   0/112
TEAMOS2   0/4530
TECH   0/2617
TEST.444   0/105
Möte VIRUS, 378 texter
 lista första sista föregående nästa
Text 228, 1713 rader
Skriven 2006-10-07 18:20:00 av KURT WISMER (1:123/140)
Ärende: News, October 7 2006
============================
[cut-n-paste from sophos.com]

Name   W32/Looked-AC

Type  
    * Virus

How it spreads  
    * Network shares
    * Infected files

Affected operating systems  
    * Windows

Side effects  
    * Installs itself in the Registry
    * Leaves non-infected files on computer

Aliases  
    * Worm.Win32.Viking.ak
    * Win32/Viking.AY
    * W32.Looked.P

Prevalence (1-5) 2

Description
W32/Looked-AC is a virus for the Windows platform.

W32/Looked-AC infects EXE files found on the infected computer. The 
virus may also attempt to spread via network shares.

Advanced
W32/Looked-AC is a virus for the Windows platform.

W32/Looked-AC infects EXE files found on the computer. The virus may 
also attempt to spread via network shares.

When first run the virus copies itself to <Windows>\rundl132.exe and 
<Windows>\logo1_.exe and creates the file <Windows>\Dll.dll which is 
also detected as W32/Looked-AC. This file attempts to download 
further executable code.

The following registry entry is created to run rundl132.exe on startup:

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
load
<Windows>\rundl132.exe

Registry entries are created under:

HKLM\SOFTWARE\Soft\DownloadWWW\

Many files with the name "_desktop.ini" are created in various 
folders on the infected computer. These files are harmless text files.





Name   Troj/ZlobDrop-J

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Drops more malware
    * Downloads code from the internet

Aliases  
    * Trojan-Downloader.Win32.Zlob.anj

Prevalence (1-5) 2

Description
Troj/ZlobDrop-J is a Trojan for the Windows platform.





Name   W32/Vanebot-Q

Type  
    * Spyware Worm

How it spreads  
    * Network shares
    * Chat programs

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Allows others to access the computer
    * Reduces system security
    * Records keystrokes
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Aliases  
    * Backdoor.Win32.VanBot.u
    * W32/Sdbot.worm!MS06-040
    * Win32/IRCBot.UG
    * BKDR_VANBOT.U

Prevalence (1-5) 2

Description
W32/Vanebot-Q is a worm and IRC backdoor for the Windows platform.

W32/Vanebot-Q spreads
to other network computers by exploiting common buffer overflow 
vulnerabilities, including: SRVSVC 
(http://www.microsoft.com/technet/security/bulletin/ms06-040.mspx) 
and ASN.1 
(http://www.microsoft.com/technet/security/bulletin/ms04-007.mspx)
to MSSQL servers protected by weak passwords
to network shares
via MSN Messenger
via Yahoo Instant Messenger

W32/Vanebot-Q runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

Advanced
W32/Vanebot-Q is a worm and IRC backdoor for the Windows platform.

W32/Vanebot-Q spreads
to other network computers by exploiting common buffer overflow 
vulnerabilities, including: SRVSVC 
(http://www.microsoft.com/technet/security/bulletin/ms06-040.mspx) 
and ASN.1 
(http://www.microsoft.com/technet/security/bulletin/ms04-007.mspx)
to MSSQL servers protected by weak passwords
to network shares
via MSN Messenger
via Yahoo Instant Messenger

W32/Vanebot-Q runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

When first run W32/Vanebot-Q copies itself to <Windows system 
folder>\dllcache\sidmeier.exe.

The file sidmeier.exe is registered as a new system driver service 
named "Sid Meier's Alpha Centauri Planetary Pack", with a display 
name of "Sid Meier's Alpha Centauri Planetary Pack" and a startup 
type of automatic, so that it is started automatically during system 
startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\Sid Meier's Alpha Centauri 
Planetary Pack\

W32/Vanebot-Q sets the following registry entries, disabling the 
automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4

Note: disabling autostart for the SharedAccess service deactivates 
the Microsoft Internet Connection Firewall (ICF).

Registry entries are set as follows:

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
lmcompatibilitylevel
1

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1





Name   W32/Fili-B

Type  
    * Worm

How it spreads  
    * Peer-to-peer

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Modifies data on the computer
    * Downloads code from the internet
    * Installs itself in the Registry
    * Leaves non-infected files on computer

Prevalence (1-5) 2

Description
W32/Fili-B is a P2P worm for the Windows platform.

Advanced
W32/Fili-B is a P2P worm for the Windows platform.

W32/Fili-B includes functionalities to:

- download, install and run new software via HTTP
- disable AV related applications by modifying the registry
- allow unauthorised access to the infected computer

When run W32/Fili-B copies itself to:

<Program Files>\BearShare\Shared\E-gold Hack.exe
<Program Files>\Grokster\My Grokster\E-gold Hack.exe
<Program Files>\KaZaA\My Shared Folder\E-gold Hack.exe
<Program Files>\Limewire\Shared\E-gold Hack.exe
<Program Files>\Morpheus\My Shared Folder\E-gold Hack.exe
<Program Files>\Shareaza\Downloads\E-gold Hack.exe
<Program Files>\eDonkey2000\Incoming\E-gold Hack.exe
<Program Files>\emule\Incoming\E-gold Hack.exe
<Program Files>\icq\Shared Files\E-gold Hack.exe
<Program Files>\mirc\download\E-gold Hack.exe
<System>\toolsbar.exe

and creates the following files:

\dtask.reg (Can be safely removed)
<System>\drivers\driver\found\sara.descl (Can be safely removed)

The following registry entry is created to run toolsbar.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Service
<System>\toolsbar.exe

The worm modifies the file <System>\drivers\etc\host with the 
following information:

127.0.0.1 arbitrage.webmoney.ru

The worm creates a Service with the display name of "Cdfs".

The worm also sets registry entry under:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
0





Name   W32/Stratio-AQ

Type  
    * Worm

How it spreads  
    * Email attachments

Affected operating systems  
    * Windows

Side effects  
    * Installs itself in the Registry

Aliases  
    * Email-Worm.Win32.Warezov.bn
    * W32/Stration@MM
    * WORM_STRAT.CF

Prevalence (1-5) 2

Description
W32/Stratio-AQ is a worm for the Windows platform.

W32/Stratio-AQ includes functionality to access the internet and 
communicate with a remote server via HTTP.

Advanced
W32/Stratio-AQ is a worm for the Windows platform.

W32/Stratio-AQ includes functionality to access the internet and 
communicate with a remote server via HTTP.

When W32/Stratio-AQ is installed the following files are created:

<System>\hpzcpjlm.exe
<System>\miglntma.dll
<System>\msihhac.dll

The files hpzcpjlm.exe, miglntma.dll and msihhac.dll are detected as 
W32/Strati-Gen.

The following registry entry is set:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
AppInit_DLLs
miglntma.dll





Name   Troj/AdClick-DI

Type  
    * Trojan

Affected operating systems  
    * Windows

Prevalence (1-5) 2

Description
Troj/AdClick-DI is a Trojan for the Windows platform.





Name   Troj/KillSec-G

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Allows others to access the computer
    * Modifies data on the computer
    * Steals information
    * Downloads code from the internet
    * Reduces system security
    * Installs itself in the Registry

Aliases  
    * QHosts-66

Prevalence (1-5) 2

Description
Troj/KillSec-G is a Trojan for the Windows platform.

The Trojan has the functionality to:

modify host file located in <Windows system folder>\drivers\etc\hosts
steal information
disable anti-virus related applications
communicate with a remote server
silently download, install and run new software

Advanced
Troj/KillSec-G is a Trojan for the Windows platform.

The Trojan has the functionality to:

modify host file located in <Windows system folder>\drivers\etc\hosts
steal information
disable anti-virus related applications
communicate with a remote server
silently download, install and run new software

The Trojan creates the following registry entries:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Windows Session Manager Subsystem
<Windows folder>\smss.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Windows Logon Process
<Windows folder>\winlogon.exe





Name   Troj/DwnLdr-FSP

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet
    * Installs itself in the Registry

Aliases  
    * Win32/TrojanDownloader.Agent.ANM

Prevalence (1-5) 2

Description
Troj/DwnLdr-FSP is a DLL helper Trojan component for the Windows 
platform.

Advanced
Troj/DwnLdr-FSP is a DLL helper Trojan component for the Windows 
platform.

Once installed, Troj/DwnLdr-FSP sets the following registry entry to 
run itself on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs
<path to Trojan>

Registry entries are also set under:

HKLM\SOFTWARE\Microsoft\Internet Explorer
MkData





Name   Troj/Banloa-AYR

Type  
    * Trojan

Affected operating systems  
    * Windows

Prevalence (1-5) 2

Description
Troj/Banloa-AYR is a downloader Trojan for the Windows platform.

Troj/Banloa-AYR includes functionality to access the internet and 
communicate with a remote server via HTTP.

When run the Trojan will attempt to download and install a component 
to <Windows>\msapptk32.dll.





Name   W32/Vanebot-S

Type  
    * Worm

How it spreads  
    * Network shares
    * Chat programs

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Allows others to access the computer
    * Downloads code from the internet
    * Reduces system security
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Aliases  
    * W32/Sdbot.worm!MS06-040
    * Win32/IRCBot.UH
    * TSPY_GOLDUN.GH

Prevalence (1-5) 2

Description
W32/Vanebot-S is a worm for the Windows platform. W32/Vanebot-S also 
contains IRC backdoor Trojan functionality which allows a remote 
intruder to gain access and control over the computer.

W32/Vanebot-S spreads
to computers vulnerable to common exploits, including SRVSVC 
(http://www.microsoft.com/technet/security/bulletin/ms06-040.mspx)
to MSSQL servers protected by weak passwords
to network shares
via MSN Messenger
via Yahoo Instant Messenger

Advanced
W32/Vanebot-S is a worm for the Windows platform. W32/Vanebot-S also 
contains IRC backdoor Trojan functionality which allows a remote 
intruder to gain access and control over the computer.

W32/Vanebot-S spreads
to computers vulnerable to common exploits, including SRVSVC 
(http://www.microsoft.com/technet/security/bulletin/ms06-040.mspx)
to MSSQL servers protected by weak passwords
to network shares
via MSN Messenger
via Yahoo Instant Messenger

W32/Vanebot-S may spread with the filename redworld.exe, 
redworld2.exe or <random numbers>_redworld2.exe.

When first run W32/Vanebot-S copies itself to <Windows system 
folder>\dllcache\msiupdate32.exe.

The file msiupdate32.exe is registered as a new system driver service 
named "Microsoft update Service", with a display name of "Microsoft 
update Service" and a startup type of automatic, so that it is 
started automatically during system startup. Registry entries are 
created under:

HKLM\SYSTEM\CurrentControlSet\Services\Microsoft update Service\

W32/Vanebot-S sets the following registry entries, disabling the 
automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4

Note: disabling autostart for the SharedAccess service deactivates 
the Microsoft Internet Connection Firewall (ICF).

Registry entries are set as follows:

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
lmcompatibilitylevel
1

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1

W32/Vanebot-S attempts to terminate a number of processes related to 
security
and anti-virus applications.





Name   W32/Sdbot-CRY

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Installs itself in the Registry

Aliases  
    * IRC/SdBot
    * W32.Spybot.Worm

Prevalence (1-5) 2

Description
W32/Sdbot-CRY is a worm and backdoor Trojan for the Windows platform.

Advanced
W32/Sdbot-CRY is a worm and backdoor Trojan for the Windows platform.

When first run W32/Sdbot-CRY copies itself to <Windows>\lsrvc.exe.

The following registry entry is created to run lsrvc.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
wmplayer
<Windows>\lsrvc.exe

The following registry entry is set:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions
MeltMe
<pathname of the Trojan executable>





Name   W32/Rbot-AGH

Type  
    * Spyware Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Steals information
    * Uses its own emailing engine
    * Downloads code from the internet
    * Records keystrokes

Prevalence (1-5) 2

Description
W32/Rbot-AGH is a network worm with backdoor functionality for the 
Windows platform.

W32/Rbot-AGH spreads to other network computers by exploiting the 
buffer overflow vulnerabilites: LSASS and RPC-DCOM and by copying 
itself to network shares protected by weak passwords.

W32/Rbot-AGH allows a remote user to control the infected computer 
through IRC channels.

Advanced
W32/Rbot-AGH is a network worm with backdoor functionality for the 
Windows platform.

W32/Rbot-AGH spreads to other network computers by exploiting the 
buffer overflow vulnerabilites: LSASS and RPC-DCOM and by copying 
itself to network shares protected by weak passwords.

The following patches for the operating system vulnerabilities 
exploited by W32/Rbot-AGH can be obtained from the Microsoft website:

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx

W32/Rbot-AGH runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

When first run W32/Rbot-AGH copies itself to <Windows system 
folder>\LimeWire.exe.

The following registry entries are created to run LimeWire.exe on 
startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Limewire
LimeWire.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Limewire
LimeWire.exe





Name   W32/Stratio-AR

Type  
    * Worm

How it spreads  
    * Email attachments

Affected operating systems  
    * Windows

Side effects  
    * Sends itself to email addresses found on the infected computer
    * Uses its own emailing engine
    * Installs itself in the Registry

Aliases  
    * Win32/Stration.EV
    * WORM_STRATION.XT

Prevalence (1-5) 2

Description
W32/Stratio-AR is a mass-mailing worm and backdoor Trojan for the 
Windows platform.

W32/Stratio-AR spreads by sending emails with itself as an attachment 
to email addresses harvested from the Windows Address Book (WAB).

Advanced
W32/Stratio-AR is a mass-mailing worm and backdoor Trojan for the 
Windows platform.

W32/Stratio-AR spreads by sending emails with itself as an attachment 
to email addresses harvested from the Windows Address Book (WAB).

The following registry entry is created to run W32/Stratio-AR on 
startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs
qediwdig.dll dmdsmp4s.dll

W32/Stratio-AR also includes functionality to download, install and 
run new software.

These files are detected as W32/Strati-Gen.





Name   W32/Burmec-A

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Modifies data on the computer
    * Reduces system security
    * Installs itself in the Registry
    * Leaves non-infected files on computer

Prevalence (1-5) 2

Description
W32/Burmec-A is a worm for the Windows platform.

Advanced
W32/Burmec-A is a worm for the Windows platform.

When first run W32/Burmec-A copies itself to:

\Recycled\kernel.vdx
<Windows>\MiniGame.com
<Windows>\msgsrv16.com
<System>\cirsx.oxc
<System>\rpcsx.vdx
<System>\sndvol32.oxc

and creates the file C:\Burmecia. The file Burmecia contains the 
following text:

A PIECE OF OUR LIFE WAS HERE FIND THE OTHER......(N)

*Author Unknown*

This file can be removed safely.

The worm may copy itself to all fixed, removable and mapped drives 
with the following filenames:

command.com
cmd.exe
sfc.exe
scanregw.exe
regwiz.exe
Msconfig.exe
explorer.exe
Taskmgr.exe
REGEDIT.exe
SNDVOL32.COM
Wscript.exe

The worm has the functionality to disable AV related applications.

The worm creates the file \Recycled\desktop.ini and this file 
contains the following text:

[.ShellClassInfo]
CLSID=(645FF040-5081-101B-9F08-00AA002F954E)

This file can be safely removed.

The worm displays a picture with a profile of a female head with the 
following scrolling text at the top of the screen:

a piece of our life was here find the other

The worm has the functionality to replace files with itself or 
corrupt files.

The following registry entry is changed to run msgsrv16.com on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe MSGSRV16.COM

(the default value for this registry entry is "Explorer.exe" which 
causes the Microsoft file <Windows>\Explorer.exe to be run on startup).

The following registry entries are set or modified, so that 
kernel.vdx, msgsrv16.com, cirsx.oxc and rpcsx.vdx are run when files 
with extensions of BAT, COM, EXE, PIF and SCR are opened/launched:

HKCR\file\Shell\open\command
(default)
<Windows>\MSGSRV16.COM

HKCR\lnffile\shell\open\command
(default)
<System>\RPCSX.VDX

HKCR\nffile\shell\open\command
(default)
<Windows>\MSGSRV16.COM

HKCR\batfile\shell\open\command
(default)
<System>\CIRSX.OXC" "%1" %*

HKCR\comfile\shell\open\command
(default)
<System>\CIRSX.OXC" "%1" %*

HKCR\exefile\shell\open\command
(default)
C:\RECYCLED\KERNEL.VDX" "%1" %*

HKCR\piffile\shell\open\command
(default)
<System>\CIRSX.OXC" "%1" %*

HKCR\scrfile\shell\open\command
(default)
C:\RECYCLED\KERNEL.VDX" "%1" %*

The following registry entries are set, disabling the registry editor 
(regedit), the Windows task manager (taskmgr) and the command prompt:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system
DisableRegistryTools
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system
DisableTaskMgr
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system
DisableCMD
1

Registry entries are set as follows:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFind
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Network
DisablePwdCaching
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp
Disabled
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp
NoRealMode
1

HKCR\*\Shell\openas\command
(default)
<Windows>\MSGSRV16.COM

HKCR\*\shellex\OpenWith\command
(default)
<System>\SNDVOL32.OXC

HKCR\scrfile\DefaultIcon
(default)
C:\RECYCLED\KERNEL.VDX,0

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder
\Hidden\SHOWALL
Type
radio

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder
\HideFileExt
Type
checkbox

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder
\ShowFullPath
Type
checkbox

HKCR\Word.Document.8\DefaultIcon
(default)
C:\RECYCLED\KERNEL.VDX,0

HKCR\comfile
(default)
File Folder

HKCR\comfile\DefaultIcon
(default)
<System>\shell32.dll,3

HKCR\exefile\shell\runas\command
(default)
<Windows>\MSGSRV16.COM

HKCR\rtffile\DefaultIcon
(default)
C:\RECYCLED\KERNEL.VDX,0

HKCR\scrfile
(default)
Microsoft Word Document

Registry entries are created under:

HKCR\.OXC\
HKCR\.VDX\
HKCR\.com \
HKCR\.exe \
HKCR\.zx\
HKCR\fffile\
HKCR\mxfile\





Name   W32/Rbot-FPA

Type  
    * Spyware Worm

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Steals information
    * Reduces system security
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities
    * Enables remote access
    * Scans network for vulnerabilities

Aliases  
    * Backdoor.Win32.VanBot.w
    * WORM_SPYBOT.LY

Prevalence (1-5) 2

Description
W32/Rbot-FPA is a worm and IRC backdoor for the Windows platform.

Advanced
W32/Rbot-FPA is a worm and IRC backdoor for the Windows platform.

W32/Rbot-FPA runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

W32/Rbot-FPA includes functionality to access the internet and 
communicate with a remote server via HTTP.

W32/Rbot-FPA will attempt to spread by exploiting the following 
Microsoft Windows vulnerabilities:

LSASS (MS04-011)
SRVSVC (MS06-040)
RPC-DCOM (MS04-012)
PNP (MS05-039)
ASN.1 (MS04-007)

When first run W32/Rbot-FPA copies itself to <System>\winlogon.exe.

The file <System>\winlogon.exe is registered as a new system driver 
service named "WINLOGON", with a display name of "Windows NT Logon 
Application" and a startup type of automatic, so that it is started 
automatically during system startup. Registry entries are created 
under:

HKLM\SYSTEM\CurrentControlSet\Services\WINLOGON\

W32/Rbot-FPA sets the following registry entries, disabling the 
automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4

Registry entries are set as follows:

HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1

Registry entries are created under:

HKLM\SOFTWARE\Microsoft\Security Center\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\





Name   W32/Virut-I

Type  
    * Virus

How it spreads  
    * Infected files

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
W32/Virut-I is a virus and backdoor Trojan for the Windows platform.

W32/Virut-I runs continuously in the background, providing a backdoor 
server which allows a remote intruder to gain access and control over 
the computer via IRC channels.

W32/Virut-I will also attempt to infect any executable that is 
accessed by any process running on the system. Any files infected 
will be detected as W32/Virut-A.

Advanced
W32/Virut-I is a virus and backdoor Trojan for the Windows platform.

W32/Virut-I runs continuously in the background, providing a backdoor 
server which allows a remote intruder to gain access and control over 
the computer via IRC channels.

W32/Virut-I will also attempt to infect any executable that is 
accessed by any process running on the system. Any files infected 
will be detected as W32/Virut-A.

When first run W32/Virut-I copies itself to <Windows system 
folder>\winfix.exe.

The following registry entries are created to run winfix.exe on 
startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Windows Fixer
winfix.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Fixer
winfix.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Windows Fixer
winfix.exe





Name   W32/Tilebot-HF

Type  
    * Worm

How it spreads  
    * Network shares
    * Chat programs

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Drops more malware
    * Downloads code from the internet
    * Reduces system security
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities
    * Used in DOS attacks
    * Enables remote access
    * Scans network for vulnerabilities
    * Scans network for weak passwords

Prevalence (1-5) 2

Description
W32/Tilebot-HF is a worm and IRC backdoor Trojan for the Windows 
platform.

W32/Tilebot-HF spreads to other network computers by exploiting 
common buffer overflow vulnerabilities, including: SRVSVC (MS06-040), 
LSASS (MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049) 
(CAN-2003-0812), PNP (MS05-039) and ASN.1 (MS04-007). The worm may 
also spreads via network shares and MSSQL servers protected by weak 
passwords.

W32/Tilebot-HF runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

W32/Tilebot-HF includes functionality to access the internet and 
communicate with a remote server via HTTP.

Advanced
W32/Tilebot-HF is a worm and IRC backdoor Trojan for the Windows 
platform.

W32/Tilebot-HF spreads to other network computers by exploiting 
common buffer overflow vulnerabilities, including: SRVSVC (MS06-040), 
LSASS (MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049) 
(CAN-2003-0812), PNP (MS05-039) and ASN.1 (MS04-007). The worm may 
also spread via network shares and MSSQL servers protected by weak 
passwords.

W32/Tilebot-HF runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

W32/Tilebot-HF includes functionality to access the internet and 
communicate with a remote server via HTTP.

When first run W32/Tilebot-HF copies itself to 
<Windows>\realplayers.exe and creates the file <System>\rdriv.sys.

The file rdriv.sys is detected as Troj/Rootkit-W.

The file rdriv.sys is registered as a new system driver service named 
"rdriv", with a display name of "rdriv". Registry entries are created 
under:

HKLM\SYSTEM\CurrentControlSet\Services\rdriv\

The file realplayers.exe is registered as a new system driver service 
named "trojans", with a display name of "this change me" and a 
startup type of automatic, so that it is started automatically during 
system startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\trojans\

W32/Tilebot-HF sets the following registry entries, disabling the 
automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4

Additional registry entries are set as follows:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions
Installed Time Me
<Date and Time>

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions
Record Me
272962

HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusDisableNotify
1

HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusOverride
1

HKLM\SOFTWARE\Microsoft\Security Center
FirewallDisableNotify
1

HKLM\SOFTWARE\Microsoft\Security Center
FirewallOverride
1

HKLM\SOFTWARE\Microsoft\Security Center
UpdatesDisableNotify
1

HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall
0

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall
0

HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareServer
0

HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareWks
0

HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
AutoShareServer
0

HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
AutoShareWks
0

HKLM\SYSTEM\CurrentControlSet\Control\
WaitToKillServiceTimeout
7000

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1





Name   W32/Looked-AD

Type  
    * Virus

How it spreads  
    * Infected files

Affected operating systems  
    * Windows

Side effects  
    * Modifies data on the computer
    * Drops more malware
    * Installs itself in the Registry
    * Leaves non-infected files on computer

Prevalence (1-5) 2

Description
W32/Looked-AD is a virus for the Windows platform.

Advanced
W32/Looked-AD is a virus for the Windows platform.

When first run the virus copies itself to <Windows>\rundl132.exe and 
creates a file <Windows>\Dll.dll, detected as W32/Looked-Gen. This 
file attempts to download further executable code.

The virus sets the following registry entry:

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
load
<Windows>\rundl132.exe

The virus infects EXE files found on the infected computer.

Many files with the name "_desktop.ini" are created, in various 
folders on the infected computer. These files are harmless text files.





Name   W32/Licat-D

Type  
    * Worm

How it spreads  
    * Chat programs

Affected operating systems  
    * Windows

Side effects  
    * Modifies data on the computer

Prevalence (1-5) 2

Description
W32/Licat-D is an MSN IM worm for the Windows platform.

W32/Licat-D includes functionality to access the internet and 
communicate with a remote server via HTTP.

W32/Licat-D will attempt to send itself using an MSN IM client as 
well as download and execute components from the web.

Advanced
W32/Licat-D is an MSN IM worm for the Windows platform.

W32/Licat-D includes functionality to access the internet and 
communicate with a remote server via HTTP.

W32/Licat-D will attempt to send itself using an MSN IM client as 
well as download and execute components from the web.

When run the worm will query the registry entry in:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App 
Paths\MSNMSGR.EXE\Path

to locate the path to msn. W32/Licat-D will then overwrite the MSN 
client with itself.





Name   Troj/DwnLdr-FSU

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet

Aliases  
    * Win32/TrojanDownloader.Small.NPA
    * TROJ_AGENT.DLX

Prevalence (1-5) 2

Description
Troj/DwnLdr-FSU is a downloader Trojan for the Windows platform.





Name   Troj/Clagger-AE

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet

Prevalence (1-5) 2

Description
Troj/Clagger-AE is a Trojan for the Windows platform.

Troj/Clagger-AE attempts to download and execute files from a remote 
website.

Advanced
Troj/Clagger-AE is a Trojan for the Windows platform.

Troj/Clagger-AE attempts to download and execute files from a remote 
website.

When first run Troj/Clagger-AE copies itself to <System>\upnp.exe.

The following registry entry is created to run upnp.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
np
<System>\upnp.exe

Registry entries are created under:

HKCU\Software\unker\<original Trojan filename>\main\
HKCU\Software\unker\upnp\main\





Name   W32/Rungbu-A

Type  
    * Virus

How it spreads  
    * Infected files

Affected operating systems  
    * Windows

Side effects  
    * Installs itself in the Registry
    * Leaves non-infected files on computer

Aliases  
    * Worm.Win32.VB.du
    * W32.Rungbu
    * PE_RUNGBU.A

Prevalence (1-5) 2

Description
W32/Rungbu-A infects Microsoft Word DOC files by copying itself to 
the same filename but with an SCR extension, appending the DOC file 
to the SCR copy, and then hiding the original DOC file.

W32/Rungbu-A then sets the computer not to show hidden files (in 
order to hide the DOC file), to give SCR files a Word icon (so the 
SCR file looks like a Word file), and to hide file extensions (so the 
SCR file just displays the filename, not the SCR extension). When the 
SCR file is run, the Word document is displayed as normal.

Advanced
W32/Rungbu-A is a companion virus for the Windows platform.

W32/Rungbu-A infects Microsoft Word DOC files by copying itself to 
the same filename but with an SCR extension, appending the DOC file 
to the SCR copy, and then hiding the original DOC file.

W32/Rungbu-A then sets the computer not to show hidden files (in 
order to hide the DOC file), to give SCR files a Word icon (so the 
SCR file looks like a Word file), and to hide file extensions (so the 
SCR file just displays the filename, not the SCR extension). When the 
SCR file is run, the Word document is displayed as normal.

When W32/Rungbu-A is installed the following files are created:

<Current folder>\<Original filename>.doc
<Current folder>\<Original filename>`.!!!
<Temp>\Flu Burung.txt
<Program Files>\Microsoft Office\Office\docicon.exe
C:\Recycled\ctfmon.exe
C:\Recycled\smss.exe
C:\Recycled\spoolsv.exe
C:\Recycled\svchost.exe

The EXE files are all detected as W32/Rungbu-A. All the other files 
are clean.

The following registry entries are changed to run W32/Rungbu-A on 
startup:

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe "C:\recycled\SVCHOST.exe"

(the default value for this registry entry is "Explorer.exe" which 
causes the Microsoft file <Windows folder>\Explorer.exe to be run on 
startup).

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
C:\recycled\SVCHOST.exe,

(the default value for this registry entry is "<Windows 
folder>\System32\userinit.exe,").

The following registry entries are set in order to hide file 
extensions:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder
\HideFileExt
UncheckedValue
1

The following registry entries are set in order to not show hidden 
files:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder
\SuperHidden
UncheckedValue
0

The following registry entries are set in order to change the default 
icon for Microsoft Word documents

HKCR\Word.Document.8\DefaultIcon
(default)
<Program Files>\Microsoft Office\Office\docicon.exe

(the default value for this registry entry is "<Program 
Files>\Microsoft Office\Office\Winword.exe,1")

Registry entries are modified under HKCR\scrfile, including the 
following:

HKCR\scrfile
(default)
Microsoft Word Document





Name   W32/Looked-AF

Type  
    * Virus

How it spreads  
    * Infected files

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
W32/Looked-AF is a virus for the Windows platform.

W32/Looked-AF includes functionality to access the internet and 
communicate with a remote server via HTTP.

Advanced
W32/Looked-AF is a virus for the Windows platform.

W32/Looked-AF includes functionality to access the internet and 
communicate with a remote server via HTTP.

When first run W32/Looked-AF copies itself to <Windows>\rundl132.exe 
and creates the following files:

<Windows>\Dll.dll - also detected as W32/Looked-AF

The following registry entry is created to run rundl132.exe on startup:

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
load
<Windows>\rundl132.exe

Registry entries are created under:

HKLM\SOFTWARE\Soft\DownloadWWW\





Name   Troj/WOW-HL

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Steals information
    * Installs itself in the Registry

Aliases  
    * Trojan-PSW.Win32.WOW.ke
    * PWS-WoW

Prevalence (1-5) 2

Description
Troj/WOW-HL is a password stealing Trojan for the Windows platform.

Advanced
Troj/WOW-HL is a password stealing Trojan for the Windows platform.

When first run Troj/WOW-HL copies itself to:

<Common Files>\iexplore.pif
<Program Files>\Internet Explorer\iexplore.com
<Windows>\1.com
<Windows>\Debug\DebugProgram.exe
<Windows>\ExERoute.exe
<Windows>\explorer.com
<Windows>\finder.com
<Windows>\smss.exe
<System>\command.pif
<System>\dxdiag.com
<System>\finder.com
<System>\msconfig.com
<System>\regedit.com
<System>\rundll32.com

The following registry entry is created to run Troj/WOW-HL on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
TProgram
<Windows>\SMSS.EXE

The file iexplore.com is registered as a COM object, creating 
registry entries under:

HKCR\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}

Troj/WOW-HL changes settings for Microsoft Internet Explorer by 
modifying values under:

HKCU\Software\Microsoft\Internet Explorer\Main

Registry entries are set as follows:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe 1

HKCR\.bfc\ShellNew
Command
<System>\rundll32.com syncui.dll,Briefcase_Create %1!d! %2

HKCR\Drive\shell\find\command
(default)
<Windows>\explorer.com

HKCR\Unknown\shell\openas\command
(default)
<System>\finder.com <System>\shell32.dll,OpenAs_RunDLL %1

HKCR\cplfile\shell\cplopen\command
(default)
rundll32.com shell32.dll,Control_RunDLL %1,%*

HKCR\htmlfile\shell\opennew\command
(default)
<Common Files>\iexplore.pif" %1

HKCR\htmlfile\shell\print\command
(default)
rundll32.com <System>\mshtml.dll,PrintHTML "%1"

HKCR\inffile\shell\Install\command
(default)
<System>\rundll32.com setupapi,InstallHinfSection DefaultInstall 
132 %1

HKCR\scrfile\shell\install\command
(default)
finder.com desk.cpl,InstallScreenSaver %l

HKCR\scriptletfile\Shell\Generate Typelib\command
(default)
<System>\finder.com" <System>\scrobj.dll,GenerateTypeLib "%1

 
--- MultiMail/Win32 v0.43
 * Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)