Text 241, 1503 rader
Skriven 2006-11-11 11:30:00 av KURT WISMER (1:123/140)
Ärende: News, November 11 2006
==============================
[cut-n-paste from sophos.com]
Name W32/Looked-AS
Type
* Virus
How it spreads
* Network shares
* Infected files
Affected operating systems
* Windows
Side effects
* Steals information
* Downloads code from the internet
* Records keystrokes
Prevalence (1-5) 2
Description
W32/Looked-AS is a virus for the Windows platform.
W32/Looked-AS includes functionality to access the internet and
communicate with
a remote server via HTTP.
Advanced
W32/Looked-AS is a virus for the Windows platform.
W32/Looked-AS includes functionality to access the internet and
communicate with
a remote server via HTTP.
When first run W32/Looked-AS copies itself to <Windows>\rundl132.exe
and creates
the following files:
<Windows>\Dll.dll - also detected as W32/Looked-AS
Registry entries are created under:
HKLM\SOFTWARE\Soft\DownloadWWW\
Name Troj/QQRob-AAT
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
* Leaves non-infected files on computer
Aliases
* Trojan.Win32.VB.atg
Prevalence (1-5) 2
Description
Troj/QQRob-AAT is a Trojan for the Windows platform.
Advanced
Troj/QQRob-AAT is a Trojan for the Windows platform.
When Troj/QQRob-AAT is installed it creates the file
<Windows>\ufdata2000.log.
The following registry entry is set:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ASocksrv
SocksA.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\Folder\Hidden\SHOWALL
CheckedValue
0
Name Troj/Lineag-ADS
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
* Installs itself in the Registry
Aliases
* Trojan-PSW.Win32.Nilage.apl
* PWS-Lineage.dll
* Win32/PSW.Lineage.NCQ
* TSPY_LINEAGE.DCA
Prevalence (1-5) 2
Description
Troj/Lineag-ADS is a password stealing Trojan for the Windows platform.
Troj/Lineag-ADS includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
Troj/Lineag-ADS is a password stealing Trojan for the Windows platform.
Troj/Lineag-ADS includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run Troj/Lineag-ADS copies itself to
<Windows>\addins\rundll32.exe and creates the file <System>\r2dll.dll.
The following registry entry is created to run rundll32.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Rr2
<Windows>\addins\rundll32.exe
Name W32/Nubys-A
Type
* Virus
How it spreads
* Network shares
* Infected files
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Trojan-Downloader.Win32.Agent.bam
Prevalence (1-5) 2
Description
W32/Nubys-A is a virus for the Windows platform.
W32/Nubys-A attempts to infect EXE files across a network.
W32/Nubys-A also includes functionality to download, install and run
new software.
Advanced
W32/Nubys-A is a virus for the Windows platform.
W32/Nubys-A attempts to infect EXE files across a network.
W32/Nubys-A also includes functionality to download, install and run
new software.
When first run W32/Nubys-A copies itself to <Windows>\winabc3.exe.
The virus attempts to download malicious files to the following
locations:
<Windows>\a1.exe
<Windows>\a2.exe
<Windows>\a3.exe
<Windows>\a4.exe
<Windows>\a5.exe
<Windows>\a6.exe
The following registry entry is created to run winabc3.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
KernelFaultCheck
<Windows>\winabc3.exe
Name W32/Dref-N
Type
* Virus
How it spreads
* Email attachments
* Infected files
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Sends itself to email addresses found on the infected computer
* Modifies data on the computer
* Forges the sender's email address
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* W32/Nuwar@MM
Prevalence (1-5) 2
Description
W32/Dref-N is a mass-mailing worm and parasitic virus with IRC
backdoor functionality for the Windows platform.
Advanced
W32/Dref-N is a mass-mailing worm and parasitic virus with IRC
backdoor functionality for the Windows platform.
When first run W32/Dref-N copies itself to <System>\wservice.exe.
W32/Dref-N will attempt to infect SCR, HTM, HTA, EXE and RAR files
then email itself as an attachment to email addresses harvested from
the infected computer.
Files infected with the virus are detected as W32/Dref-L.
W32/Dref-N may arrive in an email message with the following
characteristics:
Subject line: chosen from
White house news!
READ AND RESEND ASAP!
NEWS!
ATTN TO EVERYBODY!
Incredible news!
ATTN
URGENT NEWS!
URG
Message text: chosen from
3rd Glogal War Just Started!!! Read more in file!
Nuclear War in Russia! Read news in file!
President Bush DEAD! Read attached file!
Putin and Bush starts NUCLEAR WAR! Check the file!
Nuclear WAR in USA! Read attached file!
GLOBAL NUCLEAR WAR JUST STARTED! News in file.
President Putin dead! Read more in attached file!
Attached file:chosen from
truth.exe
last.exe
lasest news.exe
never.exe
war.exe
about me.exe
a.exe
read me .exe
open.exe
The files attached in the emails are detected as Troj/DwnLdr-FUY.
The following registry entries are created to run wservice.exe on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
UpdateService
<System>\wservice.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
UpdateService
<System>\wservice.exe
W32/Dref-N sets the following registry entries, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4
Note: disabling autostart for the SharedAccess service deactivates
the Microsoft Internet Connection Firewall (ICF).
Name W32/RJump-G
Type
* Worm
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
Aliases
* Worm.Win32.RJump.a
* Win32/RJump.A
* WORM_SIWEOL.A
Prevalence (1-5) 2
Description
W32/RJump-G is a worm for the Windows platform.
W32/RJump-G may attempt to copy itself to usb disk devices and create
an "autorun.inf" file which will attempt to load the worm
automatically when the infected drive is accessed.
Advanced
W32/RJump-G is a worm for the Windows platform.
W32/RJump-G may attempt to copy itself to usb disk devices and create
an "autorun.inf" file which will attempt to load the worm
automatically when the infected drive is accessed.
W32/RJump-G also creates a backdoor on a random port between 12000
and 19000, enabling a remote user control over the infected computer.
W32/RJump-G may copy itself to the following filename:
<Windows>\ravmone.exe
When installed, W32/RJump-G may create the following registry entry,
enabling it to run automatically on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
RavAV
<Windows>\ravmone.exe
W32/RJump-G may also attempt to modify the Windows Firewall
permissions to allow traffic to the backdoor.
Name Troj/Lineag-AED
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Records keystrokes
* Installs itself in the Registry
* Leaves non-infected files on computer
Prevalence (1-5) 2
Description
Troj/Lineag-AED is a backdoor Trojan for the Windows platform.
Troj/Lineag-AED includes keylogging functionality.
Advanced
Troj/Lineag-AED is a backdoor Trojan for the Windows platform.
Troj/Lineag-AED includes keylogging functionality.
When first run Troj/Lineag-AED copies itself to
<Windows>\command\rundll32.exe and creates the following files:
<Temp>\ikfbpr.dll
<System>\tdll.dll
These files are also detected as Troj/Lineag-AED.
Troj/Lineag-AED inserts itself into Explorer.exe process space.
The following registry entry is created to run rundll32.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Tray
<Windows>\command\rundll32.exe
Name Troj/Clagger-AI
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/Clagger-AI is a download Trojan for thw Windows platform.
Troj/Clagger-AI attempts to download and execute files from remote
websites
Troj/Clagger-AI displays a fake error message with a title the same
as its filename and the following text:
Acrobat 6 - Error "Warning" 20225
Troj/Clagger-AI also sets the following registry entry:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion
windowsshell
1
Advanced
Troj/Clagger-AI is a download Trojan for thw Windows platform.
Troj/Clagger-AI attempts to download and execute files from remote
websites
When first run Troj/Clagger-AI copies itself to <System>\ipf.exe and
creates the clean text file <System>\drivers\winut.dat.
The following registry entry is created to run ipf.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ifp
<System>\ipf.exe
Troj/Clagger-AI displays a fake error message with a title the same
as its filename and the following text:
Acrobat 6 - Error "Warning" 20225
Troj/Clagger-AI also sets the following registry entry:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion
windowsshell
1
Name W32/Rungbu-C
Type
* Virus
How it spreads
* Infected files
Affected operating systems
* Windows
Side effects
* Modifies data on the computer
* Installs itself in the Registry
* Leaves non-infected files on computer
Aliases
* Worm.Win32.VB.du
* Win32/VB.NHV
Prevalence (1-5) 2
Description
W32/Rungbu-C is a companion virus for the Windows platform.
W32/Rungbu-C infects Microsoft Word DOC files by copying itself to
the same filename but with an SCR extension, appending the DOC file
to the SCR copy, and then hiding the original DOC file.
W32/Rungbu-C then sets the computer not to show hidden files (in
order to hide the DOC file), to give SCR files a Word icon (so the
SCR file looks like a Word file), and to hide file extensions (so the
SCR file just displays the filename, not the SCR extension). When the
SCR file is run, the Word document is displayed as normal.
Advanced
W32/Rungbu-C is a companion virus for the Windows platform.
W32/Rungbu-C infects Microsoft Word DOC files by copying itself to
the same filename but with an SCR extension, appending the DOC file
to the SCR copy, and then hiding the original DOC file.
W32/Rungbu-C then sets the computer not to show hidden files (in
order to hide the DOC file), to give SCR files a Word icon (so the
SCR file looks like a Word file), and to hide file extensions (so the
SCR file just displays the filename, not the SCR extension). When the
SCR file is run, the Word document is displayed as normal.
When W32/Rungbu-C is installed the following files are created:
<Current folder>\<Original filename>.doc
<Current folder>\<Original filename>`.!!!
<Temp>\Flu Burung.txt
<Program Files>\Microsoft Office\Office\docicon.exe
C:\Recycled\ctfmon.exe
C:\Recycled\smss.exe
C:\Recycled\spoolsv.exe
C:\Recycled\svchost.exe
The EXE files are all detected as W32/Rungbu-C. All the other files
are not malicious and can be deleted.
The following registry entries are changed to run W32/Rungbu-C on
startup:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe "C:\recycled\SVCHOST.exe"
(the default value for this registry entry is "Explorer.exe" which
causes the Microsoft file <Windows folder>\Explorer.exe to be run on
startup).
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
C:\recycled\SVCHOST.exe,
(the default value for this registry entry is "<Windows
folder>\System32\userinit.exe,").
The following registry entries are set in order to hide file
extensions:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Folder\HideFileExt
UncheckedValue
1
The following registry entries are set in order to not show hidden
files:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Folder\SuperHidden
UncheckedValue
0
The following registry entries are set in order to change the default
icon for Microsoft Word documents
HKCR\Word.Document.8\DefaultIcon
(default)
<Program Files>\Microsoft Office\Office\docicon.exe
(the default value for this registry entry is "<Program
Files>\Microsoft Office\Office\Winword.exe,1")
Registry entries are modified under HKCR\scrfile, including the
following:
HKCR\scrfile
(default)
Microsoft Word Document
(the default value for this registry entry is "Screen Saver")
HKCR\scrfile\shell\open
(default)
""
(the default value for this registry entry is: "T&est")
W32/Rungbu-C deletes the following registry entries:
HKCR\scrfile\shell\config
(default)
"C&onfigure"
HKCR\scrfile\shell\config\command
(default)
"\"%1\""
HKCR\scrfile\shell\install
(default)
"&Install"
HKCR\scrfile\shell\install\command
(default)
"rundll32.exe desk.cpl,InstallScreenSaver %l"
Name Troj/Lowzone-DP
Type
* Trojan
Affected operating systems
* Windows
Aliases
* Trojan.Win32.LowZones.ds
Prevalence (1-5) 2
Description
Troj/Lowzone-DP is a Trojan for the Windows platform.
Advanced
Troj/Lowzone-DP is a Trojan for the Windows platform.
The following registry entries are set, affecting internet security:
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\cywanstorage.biz\
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\cywanstorage.biz\www\
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\cywanstorage.biz\www
*
2
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\forteforte.com\
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\forteforte.com\www\
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\forteforte.com\www
*
2
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\ricercadoppia.com\
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\2
1004
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\2
1201
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\2
MinLevel
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\2
RecommendedLevel
0
Name Troj/DwnLdr-FVC
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Reduces system security
* Leaves non-infected files on computer
Aliases
* Trojan-Downloader.Win32.Small.dwc
Prevalence (1-5) 2
Description
Troj/DwnLdr-FVC is a Trojan for the Windows platform.
Advanced
Troj/DwnLdr-FVC is a Trojan for the Windows platform.
When Troj/DwnLdr-FVC is installed it creates the file <Common
Files>\System\<random characters>.dll. This file can be safely deleted.
The following registry entry is created to run code exported by
Network Neighborhood on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
Explorer\SharedTaskScheduler
(9F143C3A-1457-6CCA-03A7-7AA23B61E40F)
Network Neighborhood
The file kbui32.dll is registered as a COM object, creating registry
entries under:
HKCR\CLSID\(9F143C3A-1457-6CCA-03A7-7AA23B61E40F)
Troj/DwnLdr-FVC includes functionality to:
- run netshell commands to allow processes to bypass existing
firewall settings
- download code from the internet
Name Troj/Lineag-AEG
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
* Drops more malware
* Installs itself in the Registry
Aliases
* Trojan-PSW.Win32.Delf.rt
Prevalence (1-5) 2
Description
Troj/Lineag-AEG is a Trojan for the Windows platform.
Advanced
Troj/Lineag-AEG is a Trojan for the Windows platform.
When first run Troj/Lineag-AEG copies itself to
<Program Files>\Windows Media Player\svchost.exe
and creates the following files:
<Temp>\aq4v.dll
<System>\pdll.dll
The files are also detected as Troj/Lineag-AEG.
The following registry entry is changed to run Troj/Lineag-AEG on
startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<path of Trojan executable>
Name W32/Backterra-F
Type
* Worm
How it spreads
* Peer-to-peer
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
Aliases
* P2P-Worm.Win32.VB.dz
* W32/Bactera.worm!p2p
Prevalence (1-5) 2
Description
W32/Backterra-F is a worm for the Windows platform that targets
peer-to-peer file share networks.
When executed W32/Backterra-F displays the fake error message
"Missing MFClibrary.dll"
Advanced
W32/Backterra-F is a worm for the Windows platform that targets
peer-to-peer file share networks.
When executed W32/Backterra-F displays the fake error message
"Missing MFClibrary.dll"
When first run W32/Backterra-F copies itself to:
\AntiVirScan.exe
\bac.exe
\bac2.exe
Registry entries are created under:
HKCU\Software\VB and VBA Program Settings\Bactera\BAC3\
The first copy of W32/Backterra-F executes the copy named
AntiVirScan.exe. This second copy runs silently in the background,
and periodically attempts to make a copy of W32/Backterra-F in
popular filesharing locations. Typcial filenames include:
RegSpy 1.70 and all lower Versions Crack & KeyGen.exe
Ambulance Driver Crack & KeyGen all Versions.exe
No One Lifes Forever 2 Crack & KeyGen all Versions.exe
NTI Ripper 2.0.0.8 and all lower Versions Crack & KeyGen.exe
Brockhaus Multimedial 2006 Prem. DVD and all lower Versions Crack &
KeyGen.exe
Salvo Crack & KeyGen all Versions.exe
StarShip Troopers Crack & KeyGen all Versions.exe
CyberLink PowerDirektor 5 Deluxe and all lower Versions Crack &
KeyGen.exe
Neuro Hunter (DVD) Crack & KeyGen all Versions.exe
PCMedik 6.2.10.2004 and all lower Versions Crack & KeyGen.exe
Ulead Photoexplorer 7.02 and all lower Versions Crack & KeyGen.exe
Air Raid Crack & KeyGen all Versions.exe
Webroot SpySweeper v4.5.9.709 and all lower Versions Crack & KeyGen.exe
Mercedes Benz World Racing Crack & KeyGen all Versions.exe
ICQ 2003 Pro and all lower Versions Crack & KeyGen.exe
Master Of Magic Crack & KeyGen all Versions.exe
Microsoft Windows 2003 Datacenter with SP1 and all lower Versions
Crack & KeyGen.exe
SAS Anti-Terror Force Crack & KeyGen all Versions.exe
Hugo And The Evil Mirror Crack & KeyGen all Versions.exe
Cue Club Crack & KeyGen all Versions.exe
Another War Crack & KeyGen all Versions.exe
Panzer General 2 Crack & KeyGen all Versions.exe
Intel C Plus Plus Compiler v9.0.024 and all lower Versions Crack &
KeyGen.exe
Stubbs the Zombie Crack & KeyGen all Versions.exe
DVDX Platinum v2.0.0.32 and all lower Versions Crack & KeyGen.exe
Classic Textadventures Crack & KeyGen all Versions.exe
Muscle Car II American Spirit Crack & KeyGen all Versions.exe
Microsoft All Windows -DVD VERSION-ENG and all lower Versions Crack &
KeyGen.exe
Nocturne Crack & KeyGen all Versions.exe
Legion Arena Crack & KeyGen all Versions.exe
MathMagic Pro Edition v2.0.2 and all lower Versions Crack & KeyGen.exe
1944 - Winterschlacht in den Ardennen Crack & KeyGen all Versions.exe
Septerra Core Legacy Of The Creator Crack & KeyGen all Versions.exe
Creatures 3 Crack & KeyGen all Versions.exe
Ashampoo Photo Commander v4.0.0 and all lower Versions Crack &
KeyGen.exe
Macromedia ColdFusion Server MX 6.0 and all lower Versions Crack &
KeyGen.exe
Adobe Photoshop CS v8.0 -Englisch and all lower Versions Crack &
KeyGen.exe
Fable Crack & KeyGen all Versions.exe
Ad-Aware plus 5.8 and all lower Versions Crack & KeyGen
Ad-Aware Pro v6.00 b181 and all lower Versions Crack & KeyGen
McAfee AntiSpyware Enterprise v8.5sa and all lower Versions Crack &
KeyGen
McAfee Internet Security v5.0 and all lower Versions Crack & KeyGen
McAfee Personal Firewall Plus v7.1.113 and all lower Versions Crack &
KeyGen
McAfee QuickClean v6.00.7.0 and all lower Versions Crack & KeyGen
McAfee VirusScan v.5.13.1 and all lower Versions Crack & KeyGen
McAfee VirusScan v10.0.25 and all lower Versions Crack & KeyGen
Webroot Window Washer 6.0.1408 and all lower Versions Crack & KeyGen
Winternals Administrators Pak 5.0 and all lower Versions Crack & KeyGen
Winternals Defrag Manager v2.5.2.0 and all lower Versions Crack &
KeyGen
Name W32/Etyb-A
Type
* Virus
Affected operating systems
* Windows
Side effects
* Modifies data on the computer
* Installs itself in the Registry
* Leaves non-infected files on computer
Prevalence (1-5) 2
Description
W32/Etyb-A is a virus for the Windows platform.
As W32/Etyb-A may overwrite certain Windows system files, the
existing non-malicious Windows system files which are being
overwritten cannot be safely disinfected.
The virus may also attempt to infect executables but current tests
shows that its ability to spread itself by means of infecting other
executables is not working, leaving corrupted versions of itself
which cannot run.
W32/Etyb-A also periodically scans the A:\, D:\, E:\, F:\ and G:\
drives (if present) for files. If a file is found, W32/Etyb-A copies
the filename and creates a corrupt file in its current folder with
that same filename that cannot run.
Advanced
W32/Etyb-A is a virus for the Windows platform.
When first run W32/Etyb-A copies itself to
<Windows>\GigaByte_Bomber.exe and
creates the following files:
\%CurrentFolder%\calc.exe
\%CurrentFolder%\cmd.exe
\%CurrentFolder%\command.com
\%CurrentFolder%\freecell.exe
\%CurrentFolder%\mshearts.exe
\%CurrentFolder%\mspaint.exe
\%CurrentFolder%\notepad.exe
\%CurrentFolder%\osk.exe
\%CurrentFolder%\scrnsave.scr
\%CurrentFolder%\sol.exe
\%CurrentFolder%\spider.exe
\%CurrentFolder%\ssbezier.scr
\%CurrentFolder%\ssflwbox.scr
\%CurrentFolder%\ssmarque.scr
\%CurrentFolder%\ssmyst.scr
\%CurrentFolder%\sspipes.scr
\%CurrentFolder%\ssstars.scr
\%CurrentFolder%\sstext3d.scr
\%CurrentFolder%\taskmgr.exe
\%CurrentFolder%\telnet.exe
\%CurrentFolder%\tourstart.exe
\%CurrentFolder%\WARNING_ReadThis.txt
\%CurrentFolder%\wscript.exe
These files are corrupt and do not run. As W32/Etyb-A may overwrite
certain Windows system files, the existing non-malicious Windows
system files which are being overwritten cannot be safely disinfected.
The virus may also attempt to infect executables but current tests
shows that its ability to spread itself by means of infecting other
executables is not working, leaving corrupted versions of itself
which cannot run.
The following registry entry is created to run GigaByte_Bomber.exe on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
GigaByte_Bomber
<Windows>\GigaByte_Bomber.exe
W32/Etyb-A also periodically scans the A:\, D:\, E:\, F:\ and G:\
drives (if present) for files. If a file is found, W32/Etyb-A copies
the filename and creates a corrupt file in its current folder with
that same filename that cannot run.
Name Troj/Nordex-A
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Aliases
* Trojan.Win32.Agent.aau
* Trojan-Dropper.Win32.Small.atq
Prevalence (1-5) 2
Description
Troj/Nordex-A is a downloading Trojan for the Windows platform.
Troj/Nordex-A includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
Troj/Nordex-A is a downloading Trojan for the Windows platform.
Troj/Nordex-A includes functionality to access the internet and
communicate with a remote server via HTTP.
The Trojan may arrive disguising itself as a genuine MS update in an
archive dropper that contains a Trojan downloading component.
When Troj/Nordex-A is installed the following files are created:
<User>\Local Settings\Temp\<random>.tmp.exe
<User>\Local Settings\Temp\<random>.tmp.dll
<User>\Local Settings\Temp\WER1.tmp.dir00/appcompat.txt
<Windows>\kb823980.log
<System>\xpsp1hfm.exe
<Windows>\xpsp1hfm.log
where the <random>.tmp.dll file is also detected as Troj/Nordex-A.
The rest of the files are not malicious and may be safely deleted.
Registry entries are set under :
HKCU\Software\Microsoft\Notepad
Name W32/Stration-BO
Type
* Worm
How it spreads
* Email messages
Affected operating systems
* Windows
Side effects
* Sends itself to email addresses found on the infected computer
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Email-Worm.Win32.Warezov.fh
Prevalence (1-5) 2
Description
W32/Stration-BO is a worm for the Windows platform.
W32/Stration-BO includes functionality to download, install and run
new software.
Advanced
W32/Stration-BO is a worm for the Windows platform.
W32/Stration-BO includes functionality to download, install and run
new software.
When first run W32/Stration-BO copies itself to <Windows>\msserv.exe
and creates the following files:
<System>\e1.dll
<Windows>\msserv.dat
The file e1.dll is detected as W32/Strati-Gen. The file msserv.dat is
a data file and may safely be deleted.
The following registry entry is created to run msserv.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
msserv
<Windows>\msserv.exe s
The following registry entry is set:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs
e1.dll
Name W32/Dref-O
Type
* Virus
How it spreads
* Network shares
* Infected files
Affected operating systems
* Windows
Side effects
* Drops more malware
* Uses its own emailing engine
* Installs itself in the Registry
Aliases
* Email-Worm.Win32.Luder.a
* W95/Tagen.A
* Win32/Nuwar.gen
Prevalence (1-5) 2
Description
W32/Dref-O is a mass-mailing worm and parasitic virus for the Windows
platform.
W32/Dref-O will attempt to infect SCR, EXE and RAR files.
Files successfully infected with the virus are detected as
W32/Dref-L. The virus may also corrupt other files by failing to
correctly infect them.
W32/Dref-O harvests email addresses from the infected computer and
may send emails containing a corrupt attachment to the addresses found.
W32/Dref-O may arrive in an email message with the following
characteristics:
Subject line chosen from:
White house news!
READ AND RESEND ASAP!
NEWS!
ATTN TO EVERYBODY!
Incredible news!
ATTN
URGENT NEWS!
URG
Message text chosen from:
3rd Glogal War Just Started!!! Read more in file!
Nuclear War in Russia! Read news in file!
President Bush DEAD! Read attached file!
Putin and Bush starts NUCLEAR WAR! Check the file!
Nuclear WAR in USA! Read attached file!
GLOBAL NUCLEAR WAR JUST STARTED! News in file.
President Putin dead! Read more in attached file!
Attached file chosen from
truth.exe
last.exe
lasest news.exe
never.exe
war.exe
about me.exe
a.exe
read me .exe
open.exe
Advanced
W32/Dref-O is a mass-mailing worm and parasitic virus for the Windows
platform.
W32/Dref-O will attempt to infect SCR, EXE and RAR files.
Files successfully infected with the virus are detected as
W32/Dref-L. The virus may also corrupt other files by failing to
correctly infect them.
W32/Dref-O harvests email addresses from the infected computer and
may send emails containing a corrupt attachment to the addresses found.
W32/Dref-O may arrive in an email message with the following
characteristics:
Subject line chosen from:
White house news!
READ AND RESEND ASAP!
NEWS!
ATTN TO EVERYBODY!
Incredible news!
ATTN
URGENT NEWS!
URG
Message text chosen from:
3rd Glogal War Just Started!!! Read more in file!
Nuclear War in Russia! Read news in file!
President Bush DEAD! Read attached file!
Putin and Bush starts NUCLEAR WAR! Check the file!
Nuclear WAR in USA! Read attached file!
GLOBAL NUCLEAR WAR JUST STARTED! News in file.
President Putin dead! Read more in attached file!
Attached file chosen from
truth.exe
last.exe
lasest news.exe
never.exe
war.exe
about me.exe
a.exe
read me .exe
open.exe
When first run W32/Dref-O copies itself to <Windows system
folder>\wservice.exe.
The virus creates the file <Current Folder of Virus>\<Random>.exe and
this file is detected as Troj/Dloadr-APW.
The following registry entries are created to run wservice.exe on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
UpdateService
<Windows system folder>\wservice.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
UpdateService
<Windows system folder>\wservice.exe
W32/Dref-O sets the following registry entries, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4
Note: disabling autostart for the SharedAccess service deactivates
the Microsoft Internet Connection Firewall (ICF).
Name W32/Rbot-FUO
Type
* Spyware Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Used in DOS attacks
Prevalence (1-5) 2
Description
W32/Rbot-FUO is a network worm with IRC backdoor functionality.
Advanced
W32/Rbot-FUO is a network worm with IRC backdoor functionality.
W32/Rbot-FUO runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Rbot-FUO spreads to other network computers by:
- exploiting common buffer overflow vulnerabilities, including ASN.1
(MS04-007)
- networks protected by weak passwords
W32/Rbot-FUO is registered as a new system driver service named "sdk"
with a display name of "Microsoft sdk core" and a startup type of
automatic, so that it is started automatically during system startup.
Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SDK
HKLM\SYSTEM\CurrentControlSet\Services\sdk
W32/Rbot-FUO includes functionality to:
- setup a SOCKS4 server
- access the internet and communicate with a remote server via HTTP
- download code from the internet and run them
- act as a proxy redirecting internet traffic
- perform DDoS attacks
- harvest information including usernames and passwords from
HTTPMail, POP3, Outlook Express and Hotmail accounts
When run W32/Rbot-FUO copies itself to <Windows>\lsass.exe.
Registry entries may be created under:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Name Troj/Tibs-PF
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Aliases
* Win32/Nuwar.gen
Prevalence (1-5) 2
Description
Troj/Tibs-PF is a downloading Trojan for the Windows platform.
Troj/Tibs-PF includes functionality to access the internet and
communicate with a remote server via HTTP.
Name Troj/Stex-A
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* TROJ_DLOADER.ESG
Prevalence (1-5) 2
Description
Troj/Stex-A is a Trojan for the Windows platform.
Advanced
Troj/Stex-A is a Trojan for the Windows platform.
When run, Troj/Stex-A copies itself into the system folder as
iexplorer.exe. The following Registry entry is added to hook system
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
iexplorer
<Windows system folder>\iexplorer.exe
Once running, Troj/Stex-A stealths its presence. The iexplorer.exe
process, Registry startup hook and iexplorer.exe file on disk are all
stealthed.
Troj/Stex-A contains functionality to connect to a remote server via
HTTP and download other files.
Name W32/Rbot-FUS
Type
* Spyware Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Records keystrokes
* Installs itself in the Registry
* Used in DOS attacks
Aliases
* Backdoor.Win32.Small.nf
Prevalence (1-5) 2
Description
W32/Rbot-FUS is a network worm with IRC backdoor functionality.
Advanced
W32/Rbot-FUS is a network worm with IRC backdoor functionality.
W32/Rbot-FUS runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Rbot-FUS spreads to other network computers by:
- networks protected by weak passwords
- MSN Messenger and Yahoo Instant Messenger
W32/Rbot-FUS is registered as a new system driver service named
"Microsoft windows FTPd" with a display name of "Microsoft windows
FTPd", a description of "Windows security FTPd update" and a startup
type of automatic, so that it is started automatically during system
startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\Microsoft windows FTPd\
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MICROSOFT_WINDOWS_FTPD\
W32/Rbot-FUS includes functionality to:
- setup a SOCKS4 server
- log keystrokes
- access the internet and communicate with a remote server via HTTP
- act as a proxy redirecting internet traffic
- perform DDoS attacks
- steal information
When run W32/Rbot-FUS copies itself to
<System>\dllcache\updtftpini.exe.
Registry entries may be created under:
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager
Name W32/Looked-AR
Type
* Virus
How it spreads
* Network shares
* Infected files
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
* Leaves non-infected files on computer
Aliases
* Worm.Win32.Viking.bi
* W32/HLLP.Philis
* PE_LOOKED.GEN
Prevalence (1-5) 2
Description
W32/Looked-AR is a virus and network worm for the Windows platform.
The virus infects EXE files found on the infected computer and
attempts to spread to remote network shares with weak passwords.
Advanced
W32/Looked-AR is a virus and network worm for the Windows platform.
The virus infects EXE files found on the infected computer and
attempts to spread to remote network shares with weak passwords.
When first run the virus copies itself as the following:
<Windows>\Logo1_.exe
<Windows>\rundl132.exe
and creates a file <Windows>\Dll.dll, also detected as W32/Looked-AR.
This file attempts to download further executable code.
Many files with the name "_desktop.ini" are created, in various
folders on the infected computer. These files are harmless text files.
The following registry entry is created to run rundl132.exe on startup:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
load
<Windows>\rundl132.exe
Registry entries are created under:
HKLM\SOFTWARE\Soft\DownloadWWW\
--- MultiMail/Win32 v0.43
* Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)
|