Text 243, 1196 rader
Skriven 2006-11-25 12:53:00 av KURT WISMER (1:123/140)
Ärende: News, November 25 2006
==============================
[cut-n-paste from sophos.com]
Name W32/Rbot-FWL
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Win32.Rbot.adf
* a variant of Win32/Rbot
* W32.Spybot.Worm
* WORM_RBOT.CG
Prevalence (1-5) 2
Description
W32/Rbot-FWL is a worm with IRC backdoor functionality for the
Windows platform.
W32/Rbot-FWL spreads
- to computers vulnerable to common exploits, including: WKS
(MS03-049) and
ASN.1 (MS04-007)
- to MSSQL servers protected by weak passwords
- to network shares protected by weak passwords
W32/Rbot-FWL runs continuously in the background, providing a
backdoor server
which allows a remote intruder to gain access and control over the
computer via
IRC channels.
W32/Rbot-FWL modifies the HOSTS file, appended lines to prevent
access to
certain websites.
Advanced
W32/Rbot-FWL is a worm with IRC backdoor functionality for the
Windows platform.
W32/Rbot-FWL spreads
- to computers vulnerable to common exploits, including: WKS
(MS03-049) and
ASN.1 (MS04-007)
- to MSSQL servers protected by weak passwords
- to network shares protected by weak passwords
W32/Rbot-FWL runs continuously in the background, providing a
backdoor server
which allows a remote intruder to gain access and control over the
computer via
IRC channels.
When first run W32/Rbot-FWL copies itself to <System>\atigfx.exe.
The following registry entries are created to run atigfx.exe on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ATI Video Driver Control
atigfx.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ATI Video Driver Control
atigfx.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
ATI Video Driver Control
atigfx.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
ATI Video Driver Control
atigfx.exe
Registry entries are set as follows:
HKCU\SYSTEM\CurrentControlSet\Control\Lsa
ATI Video Driver Control
atigfx.exe
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
ATI Video Driver Control
atigfx.exe
HKCU\Software\Microsoft\OLE
ATI Video Driver Control
atigfx.exe
HKLM\SOFTWARE\Microsoft\Ole
ATI Video Driver Control
atigfx.exe
Name Troj/Nebuler-M
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
* Installs itself in the Registry
Aliases
* Trojan-Dropper.Win32.Small.aua
* Win32/Agent.NEQ
* TROJ_SMALL.DSN
Prevalence (1-5) 2
Description
Troj/Nebuler-M is a Trojan for the Windows platform.
Troj/Nebuler-M gathers details relating to dialup services and sends
collected information to a remote site via HTTP.
Advanced
Troj/Nebuler-M is a Trojan for the Windows platform.
Troj/Nebuler-M gathers details relating to dialup services and sends
collected information to a remote site via HTTP.
The Trojan may inject code into other processes in an attempt to
remain hidden.
When Troj/Nebuler-M is installed the following files are created:
<System>\win<xxx>32.dll
Where <xxx> are random letters.
The file win<xxx>32.dll is detected as Troj/Nebule-Gen.
The following registry entries are created to run code exported by
win<xxx>32.dll on startup:
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\win<xxx>32
DllName
win<xxx>32.dll
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\win<xxx>32
Impersonate
0
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\win<xxx>32
Startup
EvtStartup
Registry entries are created under:
HKLM\SOFTWARE\Microsoft\MSSMGR\
Name W32/Rbot-FWM
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
Aliases
* Backdoor.Win32.SdBot.awk
Prevalence (1-5) 2
Description
W32/Rbot-FWM is a worm with IRC backdoor functionality for the
Windows platform.
W32/Rbot-FWM runs continuously in the background, providing a
backdoor server
which allows a remote intruder to gain access and control over the
computer via
IRC channels.
Advanced
W32/Rbot-FWM is a worm with IRC backdoor functionality for the
Windows platform.
W32/Rbot-FWM runs continuously in the background, providing a
backdoor server
which allows a remote intruder to gain access and control over the
computer via
IRC channels.
When first run W32/Rbot-FWM copies itself to <System>\svcchost.exe.
The following registry entries are created to run svcchost.exe on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
msvcc25
svcchost.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
msvcc25
svcchost.exe
Registry entries are set as follows:
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
Name Troj/Clagger-AK
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Reduces system security
Prevalence (1-5) 2
Description
Troj/Clagger-AK is a Trojan for the Windows platform.
Troj/Clagger-AK includes functionality to download, install and run
new software.
Advanced
Troj/Clagger-AK is a Trojan for the Windows platform.
Troj/Clagger-AK includes functionality to download, install and run
new software.
Troj/Clagger-AK attempts to download files to the following locations:
<Windows>\1.exe
<Windows>\chii.exe
<Windows>\zupacha.exe
The following registry entry is set, affecting internet security:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
FiREWaLLpolicy\StAnDaRDPrOFiLe\AUtHorizedapplications\List\
<original filename>
<pathname of the Trojan executable>:*:ENABLED:0
Name W32/Looked-AX
Type
* Virus
How it spreads
* Network shares
* Infected files
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Downloads code from the internet
* Installs itself in the Registry
* Leaves non-infected files on computer
Prevalence (1-5) 2
Description
W32/Looked-AX is a virus which can also spread via network shares.
W32/Looked-AX runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer.
Advanced
W32/Looked-AX is a virus which can also spread via network shares.
W32/Looked-AX runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer.
W32/Looked-AX includes functionality to access the internet and
communicate with a remote server via HTTP.
When run W32/Looked-AX copies itself to
<Windows>\uninstall\rundl132.exe and creates the following files:
<Windows>\Dll.dll
Dll.dll is also detected as W32/Looked-AX.
The following registry entry is created to run rundl132.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
load
<Windows>\uninstall\rundl132.exe
Registry entries are created under:
HKLM\SOFTWARE\Soft\DownloadWWW\
Name Troj/Vixup-BZ
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
Aliases
* Trojan-Downloader.Win32.Tibs.ir
* Win32/TrojanDownloader.Small.AWA
* Trojan.Galapoper.A
* TROJ_TIBS.OS
Prevalence (1-5) 2
Description
Troj/Vixup-BZ is a Trojan for the Windows platform.
Troj/Vixup-BZ includes functionality to download and run further
executable code.
Advanced
Troj/Vixup-BZ is a Trojan for the Windows platform.
Troj/Vixup-BZ includes functionality to download and run further
executable code.
When first run Troj/Vixup-BZ copies itself to <System>\kernels8.exe
and may download a file to <System>\dlh9jkdq8.exe.
The following registry entry is created to run kernels8.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
System
<System>\kernels8.exe
The following registry entry is set, disabling the Windows task
manager (taskmgr):
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1
Name W32/Stration-AJ
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Drops more malware
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* WORM_STRAT.GG
Prevalence (1-5) 2
Description
W32/Stration-AJ is a worm for the Windows platform.
W32/Stration-AJ includes functionality to download, install and run
new software.
Advanced
W32/Stration-AJ is a worm for the Windows platform.
W32/Stration-AJ includes functionality to download, install and run
new software.
When first run W32/Stration-AJ copies itself to <Windows>\cserv32.exe
and creates the following files:
<Windows>\cserv32.dat
<System>\e1.dll
The file e1.dll is detected as W32/Strati-Gen.
The following registry entry is created to run cserv32.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
cserv32
<Windows>\cserv32.exe s
The following registry entry is set:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs
e1.dll
Name Troj/QQRob-ABA
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Installs itself in the Registry
Aliases
* Trojan-PSW.Win32.QQRob.is
* PAK_Generic.001
Prevalence (1-5) 2
Description
Troj/QQRob-ABA is a Trojan for the Windows platform.
Advanced
Troj/QQRob-ABA is a Trojan for the Windows platform.
When first run Troj/QQRob-ABA copies itself to:
<Startup>\<random characters>.exe
<Common Files>\System\<random characters>.dat
<Windows>\Help\adsal.chm
and creates the file <Common Files>\System\<random characters>.dll.
This file is also detected as Troj/QQRob-ABA.
The file <random characters>.dll is registered as a COM object and
ShellExecute hook, creating registry entries under:
HKCR\CLSID\(random CLSID)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
ShellExecuteHooks\(randome CLSID)
The following registry entries are also created, disabling certain
anti-virus and security processes:
HKLM\SYSTEM\CurrentControlSet\Services\AVP
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\FireSvc
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\KPfwSvc
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\KVSrvXP
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\KVWSC
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\KWatchSvc
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\McAfeeFramework
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\McShield
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\McTaskManager
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\MskService
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\NPFMntor
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\RfwService
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\RsCCenter
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\RsRavMon
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\SKNFW
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\SNDSrvc
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\SPBBCSvc
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\SkyProcs
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\Symantec Core LC
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\ccEvtMgr
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\ccProxy
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\ccSetMgr
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\kavsvc
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\navapsvc
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
Start
4
Name W32/Looked-AY
Type
* Virus
How it spreads
* Network shares
* Infected files
Affected operating systems
* Windows
Side effects
* Steals information
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* W32/HLLP.Philis.bt
Prevalence (1-5) 2
Description
W32/Looked-AY is a virus and worm for the Windows platform.
W32/Looked-AY spreads to other network computers.
W32/Looked-AY includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
W32/Looked-AY is a virus and worm for the Windows platform.
W32/Looked-AY spreads to other network computers.
W32/Looked-AY includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run W32/Looked-AY copies itself to
<Windows>\uninstall\rundl132.exe and creates the following files:
<Windows>\RichDll.dll - detected as W32/Looked-AY
The following registry entry is created to run rundl132.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
load
<Windows>\uninstall\rundl132.exe
Registry entries are created under:
HKLM\SOFTWARE\Soft\DownloadWWW\
Name Troj/Dloadr-AQK
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Aliases
* Win32/TrojanDownloader.Agent.AXS
Prevalence (1-5) 2
Description
Troj/Dloadr-AQK is a downloading Trojan for the Windows platform.
Advanced
Troj/Dloadr-AQK is a downloading Trojan for the Windows platform.
Troj/Dloadr-AQK includes functionality to connect to the internet and
communicate with a remote server via HTTP.
Registry entries are created under:
HKCU\Software\unker\<basename>\main\
Name W32/Dref-Q
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Sends itself to email addresses found on the infected computer
* Drops more malware
* Forges the sender's email address
* Uses its own emailing engine
* Installs itself in the Registry
Aliases
* Win32/Nuwar.gen
Prevalence (1-5) 2
Description
W32/Dref-Q is a mass-mailing worm for the Windows platform.
Messages sent by the worm have the following characteristics:
Subject: taken from a list including
Urgent News!
Attn
News!
Incredible news!
Read and resend asap!
or a headline retrieved from a news website.
Attached filename: taken from a list including
read me.exe
CNN latest news.exe
CNN news reader.exe
cnn.exe
news reader.exe
Advanced
W32/Dref-Q is a mass-mailing worm for the Windows platform.
Messages sent by the worm have the following characteristics:
Subject: one of
Urgent News!
Attn
News!
Incredible news!
Read and resend asap!
Attn to everybody!
Urg
White house news!
or a headline retrieved from a news website.
Attached filename: one of
read me.exe
CNN latest news.exe
CNN news reader.exe
cnn.exe
news reader.exe
cnn site explorer.exe
www-CNN-COM.exe
news agent.exe
webnews agent.exe
cnn agent.exe
When first run, W32/Dref-Q will open a browser displaying a news
website.
W32/Dref-Q copies itself to <Windows system folder>\wservice.exe and
creates the a randomly-named executable in the current folder. This
randomly named executable is detected as Troj/DownLdr-QK.
The following registry entries are created to run wservice.exe on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
UpdateService
<Windows system folder>\wservice.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
UpdateService
<Windows system folder>\wservice.exe
W32/Dref-Q sets the following registry entries, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4
Note: disabling autostart for the SharedAccess service deactivates
the Microsoft Internet Connection Firewall (ICF).
Name Troj/Adload-KB
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Aliases
* Trojan-Downloader.Win32.Adload.hw
* TROJ_ADLOAD.RG
Prevalence (1-5) 2
Description
Troj/Adload-KB ia a Trojan for the Windows platform.
The Trojan includes functionality to access the internet and
communicate with a remote server via HTTP.
Name Troj/Clagger-AL
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Prevalence (1-5) 2
Description
Troj/Clagger-AL is a downloading Trojan for the Windows platform.
Advanced
Troj/Clagger-AL is a downloading Trojan for the Windows platform.
Troj/Clagger-AL downloads files from a list of preconfigured URLs to
the Windows folder and executes them.
Name Troj/Clagger-AM
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Aliases
* Trojan.Schoeberl.D
Prevalence (1-5) 2
Description
Troj/Clagger-AM is a Trojan for the Windows platform.
Name W32/Sdbot-CUJ
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Win32.SdBot.azd
* W32/Backdoor.PVO
Prevalence (1-5) 2
Description
W32/Sdbot-CUJ is a network worm for the Windows platform.
W32/Sdbot-CUJ runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Sdbot-CUJ spreads to other network computers by exploiting common
buffer overflow vulnerabilities.
Advanced
W32/Sdbot-CUJ is a network worm for the Windows platform.
W32/Sdbot-CUJ runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Sdbot-CUJ spreads to other network computers by exploiting common
buffer overflow vulnerabilities.
When first run W32/Sdbot-CUJ copies itself to <Windows>\directx.exe.
The file directx.exe is registered as a new system driver service
named "directx.exe", with a display name of "directx.exe" and a
startup type of automatic, so that it is started automatically during
system startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\directx.exe\
The worm disables the Windows System File Checker by changing the
following registry entry:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SFCDisable
ffffff9d
(the default value for this entry is 0)
W32/Sdbot-CUJ overwrites the following system files:
<Windows>\sfc_os.dll
<Windows>\ftp.exe
<Windows>\tftp.exe
Name W32/Looked-AZ
Type
* Virus
How it spreads
* Network shares
* Infected files
Affected operating systems
* Windows
Side effects
* Steals information
* Downloads code from the internet
* Installs itself in the Registry
* Leaves non-infected files on computer
Prevalence (1-5) 2
Description
W32/Looked-AZ is a virus.
W32/Looked-AZ infects EXE files found on the infected computer and
attempts to spread to remote network shares with weak passwords.
The virus includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
W32/Looked-AZ is a virus.
W32/Looked-AZ infects EXE files found on the infected computer and
attempts to spread to remote network shares with weak passwords.
The virus includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run W32/Looked-AZ copies itself to
<Windows>\uninstall\rundl132.exe and <Windows>\logo1_.exe and creates
files <Windows>\RichDll.dll, which is also detected as W32/Looked-AZ.
Many files with the name "_desktop.ini" are also created, in various
folders on the infected computer. These files are harmless text files.
The following registry entry is created to run rundl132.exe on startup:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
load
<Windows>\uninstall\rundl132.exe
Registry entries are created under:
HKLM\SOFTWARE\Soft\DownloadWWW\
Name Troj/Clagger-AN
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Aliases
* Downloader-ATM
Prevalence (1-5) 2
Description
Troj/Clagger-AN is a downloading Trojan for the Windows platform.
Troj/Clagger-AN downloads files from preconfigured URLs to the
Windows folder and executes them.
Name Troj/Lineag-AEO
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
* Drops more malware
* Records keystrokes
* Installs itself in the Registry
Aliases
* Trojan-PSW.Win32.Hangame.cl
* Trojan-PSW.Win32.Nilage.ajk
Prevalence (1-5) 2
Description
Troj/Lineag-AEO is a password stealing Trojan for the Windows platform.
Troj/Lineag-AEO includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
Troj/Lineag-AEO is a password stealing Trojan for the Windows platform.
Troj/Lineag-AEO includes functionality to access the internet and
communicate with a remote server via HTTP.
When Troj/Lineag-AEO is installed the following files are created:
<Temp>\ri.exe
<Temp>\t2.exe
<Program Files>\Internet Explorer\explorer.exe
<System>\ccdll.dll
The files explorer.exe and ri.exe are detected as Troj/Hangame-AF.
The files t2.exe and ccdll.dll are also detected as Troj/Lineag-AEO.
The following registry entry is created to run explorer.exe on startup:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
load
<Program Files>\INTERN~1\explorer.exe
Name Troj/WowPWS-AJ
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
* Downloads code from the internet
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/WowPWS-AJ is a Trojan for the Windows platform.
Troj/WowPWS-AJ includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
Troj/WowPWS-AJ is a Trojan for the Windows platform.
Troj/WowPWS-AJ includes functionality to access the internet and
communicate with a remote server via HTTP.
Troj/WowPWS-AJ includes functionality to steal passwords for certain
online games.
When first run Troj/WowPWS-AJ copies itself to
<Windows>\Download\svhost32.exe and creates the following files:
<Temp>\a.dll
<System>\xydll.dll
The following registry entry is created to run svhost32.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
xy
<Windows>\Download\svhost32.exe
Name Troj/Nebuler-N
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Drops more malware
* Installs itself in the Registry
Aliases
* Trojan-Dropper.Win32.Agent.azn
Prevalence (1-5) 2
Description
Troj/Nebuler-N is a Trojan for the Windows platform.
Advanced
Troj/Nebuler-N is a Trojan for the Windows platform.
When Troj/Nebuler-N is installed the following files are created:
<Temp>\mst1.bat
<Temp>\mst1.tmp
<Current Folder>\mit.bat
<System>\winool32.dll
The files winool32.dll and mst1.tmp are detected as Troj/Nebule-Gen.
The files mst1.bat and mit.bat are clean scripts to delete
Troj/Nebuler-N files.
The following registry entries are created to run code exported by
winool32.dll on startup:
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\winool32
DllName
winool32.dll
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\winool32
Impersonate
0
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\winool32
Startup
EvtStartup
Registry entries are created under:
HKLM\SOFTWARE\Microsoft\MSSMGR\
Troj/Nebuler-N may create files in the following folders:
<User>\Application Data\Microsoft\Crypto\rsa
<User>\Application Data\Microsoft\Protect
--- MultiMail/Win32 v0.43
* Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)
|