Text 252, 628 rader
Skriven 2006-12-31 17:40:00 av KURT WISMER
Ärende: News, December 31 2006
==============================
[cut-n-paste from sophos.com]
Name W32/Rbot-FZE
Type
* Spyware Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Reduces system security
* Records keystrokes
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Used in DOS attacks
Aliases
* Backdoor.Win32.Rbot.bng
Prevalence (1-5) 2
Description
W32/Rbot-FZE is a worm with IRC backdoor functionality for the
Windows platform.
W32/Rbot-FZE spreads to other network computers by:
- exploiting common buffer overflow vulnerabilities, including LSASS
(MS04-011), SRVSVC (MS06-040), RPC-DCOM (MS04-012), PNP (MS05-039),
ASN.1 (MS04-007) and RealVNC (CVE-2006-2369) and
- networks protected by weak passwords
Advanced
W32/Rbot-FZE is a worm with IRC backdoor functionality for the
Windows platform.
W32/Rbot-FZE spreads to other network computers by:
- exploiting common buffer overflow vulnerabilities, including LSASS
(MS04-011), SRVSVC (MS06-040), RPC-DCOM (MS04-012), PNP (MS05-039),
ASN.1 (MS04-007) and RealVNC (CVE-2006-2369) and
- networks protected by weak passwords
W32/Rbot-FZE runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
When run W32/Rbot-FZE copies itself to <System>\winlogz2.exe and sets
the following registry entries to run itself on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Windows Services Layer
<System>\winlogz2.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Windows Services Layer
<System>\winlogz2.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Services Layer
<System>\winlogz2.exe
W32/Rbot-FZE also sets the following registry entry:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\
Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
<System>\winlogz2.exe
<System>\winlogz2.exe:*:Enabled:Windows Services Layer
W32/Rbot-FZE includes functionality to:
- access the internet and communicate with a remote server via HTTP
- setup a SOCKS4 server
- record keystrokes
- perform DDoS attacks
- steal information
Name Troj/StraDl-B
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Prevalence (1-5) 2
Description
Troj/StraDl-B is a downloader Trojan for the Windows platform.
When run Troj/StraDl-B attempts to download a file from a remote
website and run it. This file is currently detected as W32/Strati-Gen.
Name Troj/StraDl-C
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Aliases
* Email-Worm.Win32.Warezov.jj
Prevalence (1-5) 2
Description
Troj/StraDl-C is a downloader Trojan for the Windows platform.
Troj/StraDl-C includes functionality to download, install and run new
software.
Name W32/Fujacks-A
Type
* Virus
How it spreads
* Network shares
* Infected files
* Peer-to-peer
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Worm.Win32.Delf.bd
* W32/Fujacks
Prevalence (1-5) 2
Description
W32/Fujacks-A is a prepending virus for the Windows platform.
The virus can also spread to network shares and has backdoor
functionality.
Advanced
W32/Fujacks-A is a prepending virus for the Windows platform.
The virus can also spread to network shares and has backdoor
functionality.
W32/Fujacks-A runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer.
W32/Fujacks-A includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run W32/Fujacks-A copies itself to
<System>\drivers\spoclsv.exe.
The following registry entry is created to run spoclsv.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
svcshare
<System>\drivers\spoclsv.exe
The following registry entry is set:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder
\Hidden\SHOWALL
CheckedValue
0
Name W32/Rbot-FZO
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Scans network for vulnerabilities
* Scans network for weak passwords
* Scans network for open ports
Prevalence (1-5) 2
Description
W32/Rbot-FZO is a worm for the Windows platform.
W32/Rbot-FZO runs continuously in the background, providing a
backdoor server
which allows a remote intruder to gain access and control over the
computer via
IRC channels.
W32/Rbot-FZO spreads to computers vulnerable to common exploits,
including:
RPC-DCOM (MS04-012), ASN.1 (MS04-007), and via network shares.
Advanced
W32/Rbot-FZO is a worm for the Windows platform.
W32/Rbot-FZO runs continuously in the background, providing a
backdoor server
which allows a remote intruder to gain access and control over the
computer via
IRC channels.
W32/Rbot-FZO spreads to computers vulnerable to common exploits,
including:
RPC-DCOM (MS04-012), ASN.1 (MS04-007), and via network shares.
When first run W32/Rbot-FZO copies itself to \jamesbond.exe.
The following registry entries are created to run jamesbond.exe on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Casino Royale
<System>\jamesbond.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Casino Royale
<System>\jamesbond.exe
The following registry entry is set, affecting internet security:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\List
<Windows>\System32\jamesbond.exe
<System>\jamesbond.exe:*:Enabled:Casino Royale
The following registry entry is set:
HKCU\Software\Microsoft\OLE
Casino Royale
<System>\jamesbond.exe
Name W32/Rbot-FZQ
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Prevalence (1-5) 2
Description
W32/Rbot-FZQ is a network worm for the Windows platform.
W32/Rbot-FZQ spreads
- to computers vulnerable to common exploits, including: LSASS
(MS04-011), SRVSVC (MS06-040), RPC-DCOM (MS04-012), PNP (MS05-039),
ASN.1 (MS04-007) and RealVNC (CVE-2006-2369)
- to network shares protected by weak passwords
W32/Rbot-FZQ runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
Advanced
W32/Rbot-FZQ is a network worm for the Windows platform.
W32/Rbot-FZQ spreads
- to computers vulnerable to common exploits, including: LSASS
(MS04-011), SRVSVC (MS06-040), RPC-DCOM (MS04-012), PNP (MS05-039),
ASN.1 (MS04-007) and RealVNC (CVE-2006-2369)
- to network shares protected by weak passwords
W32/Rbot-FZQ runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
When first run W32/Rbot-FZQ copies itself to <System>\winl0g0.exe.
The following registry entries are created to run winl0g0.exe on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Windows Services Layer
<System>\winl0g0.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Services Layer
<System>\winl0g0.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Windows Services Layer
<System>\winl0g0.exe
The following registry entry is set, affecting internet security:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Firewall
Policy\StandardProfile\AuthorizedApplications\List
<System>\winl0g0.exe
<System>\winl0g0.exe:*:Enabled:Windows Services Layer
Name Troj/FeebDl-AA
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Downloads code from the internet
Aliases
* JS/Feebs.gen.p@MM
Prevalence (1-5) 2
Description
Troj/FeebDl-AA is a downloader Trojan for the Windows platform.
Advanced
Troj/FeebDl-AA is a downloader Trojan for the Windows platform.
Troj/FeebDl-AA attempts to download and execute a number of files
from remote websites to C:\Recycled\userinit.exe, sometimes also
copying it to the startup folder. These files are currently detected
as Mal/Packer.
Troj/FeebDl-AA attempts to set the following registry entry:
HKLM\Active Setup\Installed
Components\{CD5AC91B-AE7B-E83A-0C4C-E616075972F3}
Stubpath
C:\Recycled\userinit.exe
Troj/FeebDl-AA attempts to terminate a number of services related to
security and anti-virus applications.
Troj/FeebDl-AA has been seen sent in spam containing a "pump and
dump" stock GIF image and random message text.
Name W32/Dref-U
Type
* Virus
How it spreads
* Email attachments
* Infected files
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Sends itself to email addresses found on the infected computer
* Drops more malware
* Forges the sender's email address
* Uses its own emailing engine
* Downloads code from the internet
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Dref-U is a virus with mass-mailing capability for the Windows
platform.
W32/Dref-U spreads to other network computers and via email.
W32/Dref-U includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
W32/Dref-U is a virus with mass-mailing capability for the Windows
platform.
W32/Dref-U spreads to other network computers and via email.
W32/Dref-U includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run W32/Dref-U copies itself to <System>\ppl.exe and
creates the following registy keys:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
agent
<System>\ppl.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
agent
<System>\ppl.exe
W32/Dref-U sets the following registry entries, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4
Note: disabling autostart for the SharedAccess service deactivates
the Microsoft Internet Connection Firewall (ICF).
W32/Dref-U may also attempt to drop a randomly named file into the
current folder and run it. This file is detected by Sophos as
Troj/Dloadr-ANE.
Files infected by W32/Dref-U are detected by Sophos as W32/Dref-L.
Name W32/Agobot-AHT
Type
* Worm
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
Aliases
* W32/Sdbot.worm.gen.t
Prevalence (1-5) 2
Description
W32/Agobot-AHT is a worm with IRC backdoor functionality for the
Windows platform.
W32/Agobot-AHT runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
Advanced
W32/Agobot-AHT is a worm with IRC backdoor functionality for the
Windows platform.
W32/Agobot-AHT runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
When first run W32/Agobot-AHT copies itself to <System>\wcsntfy.exe.
The following registry entries are created to run wcsntfy.exe on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft
wcsntfy.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft
wcsntfy.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Microsoft
wcsntfy.exe
Name W32/Dref-V
Type
* Virus
How it spreads
* Email messages
* Network shares
* Infected files
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Sends itself to email addresses found on the infected computer
* Drops more malware
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
Aliases
* Trojan-Downloader.Win32.Tibs.jy
* Win32/Nuwar.M
Prevalence (1-5) 2
Description
W32/Dref-V is a virus for the Windows platform.
W32/Dref-V spreads to other network computers and via email.
W32/Dref-V includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
W32/Dref-V is a virus with mass-mailing capability for the Windows
platform. Files infected by W32/Dref-V are detected by Sophos as
W32/Dref-L.
W32/Dref-V spreads to other network computers and via email.
W32/Dref-V sends emails with a subject line of "Happy New Year!" and
an attachment named postcard.exe.
W32/Dref-V includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run W32/Dref-V copies itself to <System>\alsys.exe and
creates the following registy keys:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Agent
<System>\alsys.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Agent
<System>\alsys.exe
W32/Dref-V sets the following registry entries, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4
Note: disabling autostart for the SharedAccess service deactivates
the Microsoft Internet Connection Firewall (ICF).
W32/Dref-V may also attempt to drop a randomly named file into the
current folder and run it. This file is detected by Sophos as
W32/Dref-V.
Name Troj/Agent-DYG
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/Agent-DYG is a Trojan for the Windows platform.
Advanced
Troj/Agent-DYG is a Trojan for the Windows platform.
When first run Troj/Agent-DYG copies itself to <System>\logmen.exe.
The following registry entry is created to run logmen.exe on startup:
HKLM\SOFTWARE\Microsoft\Active Setup\Installed
Components\(32E79AE2-96C6-7A4B-0407-050408030200)
StubPath
<System>\logmen.exe
--- MultiMail/Win32 v0.43
* Origin: Doc's Place BBS Fido Since 1991 www.docsplace.tzo.com (1:123/140)
|